Edit tour

Windows Analysis Report
b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Overview

General Information

Sample name:	b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe
Analysis ID:	1581378
MD5:	12ac061f02656d9e3d3cfbdd429a6bcf
SHA1:	5d6bb219d35a0dd57ddcbdb5950e9307593279e0
SHA256:	b1593574e46fb1f30b1da4fa594f43bb52b051a616db390abf23ef45508f8b13
Tags:	exeXenoRATuser-abuse_ch
Infos:

Detection

XenoRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XenoRAT

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found potential dummy code loops (likely to delay analysis)

Installs a global keyboard hook

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe" MD5: 12AC061F02656D9E3D3CFBDD429A6BCF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XenoRAT		No Attribution	https://axmahr.github.io/posts/xenorat-detection/ https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/ https://github.com/moom825/xeno-rat https://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github https://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method	https://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat

Malware Configuration

Threatname: XenoRAT

{"C2 url": "194.59.30.69", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "nothingset"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	rat_win_xeno_rat	Xeno RAT is an open-source RAT, used by Kimsuky in January 2024	Sekoia.io	0xb15c:$: Xeno-manager 0x250:$: moom825

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1643596965.00000000007B2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe PID: 7308	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe.7b0000.0.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
0.0.b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe.7b0000.0.unpack	rat_win_xeno_rat	Xeno RAT is an open-source RAT, used by Kimsuky in January 2024	Sekoia.io	0xb15c:$: Xeno-manager 0x250:$: moom825

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET MALWARE Xenorat Default Handshake Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:37:03.587659+0100	2058419	1	A Network Trojan was detected	194.59.30.69	16589	192.168.2.4	49730	TCP
2024-12-27T14:37:06.843864+0100	2058419	1	A Network Trojan was detected	194.59.30.69	16589	192.168.2.4	49731	TCP
2024-12-27T14:37:12.268793+0100	2058419	1	A Network Trojan was detected	194.59.30.69	16589	192.168.2.4	49732	TCP
2024-12-27T14:37:17.260923+0100	2058419	1	A Network Trojan was detected	194.59.30.69	16589	192.168.2.4	49734	TCP

ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:37:19.853964+0100	2050110	1	Malware Command and Control Activity Detected	194.59.30.69	16589	192.168.2.4	49734	TCP
2024-12-27T14:40:04.240627+0100	2050110	1	Malware Command and Control Activity Detected	194.59.30.69	16589	192.168.2.4	49731	TCP
2024-12-27T14:40:34.376153+0100	2050110	1	Malware Command and Control Activity Detected	194.59.30.69	16589	192.168.2.4	49730	TCP

ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:37:19.937706+0100	2050111	1	Malware Command and Control Activity Detected	192.168.2.4	49734	194.59.30.69	16589	TCP
2024-12-27T14:37:59.991704+0100	2050111	1	Malware Command and Control Activity Detected	192.168.2.4	49731	194.59.30.69	16589	TCP
2024-12-27T14:38:24.459236+0100	2050111	1	Malware Command and Control Activity Detected	192.168.2.4	49731	194.59.30.69	16589	TCP
2024-12-27T14:39:12.428763+0100	2050111	1	Malware Command and Control Activity Detected	192.168.2.4	49731	194.59.30.69	16589	TCP
2024-12-27T14:39:42.912839+0100	2050111	1	Malware Command and Control Activity Detected	192.168.2.4	49731	194.59.30.69	16589	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Malware Configuration Extractor: XenoRAT {"C2 url": "194.59.30.69", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "nothingset"}

Multi AV Scanner detection for submitted file

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Virustotal: Detection: 79%			Perma Link
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Joe Sandbox ML: detected

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\moom825\Desktop\xeno-rat\xeno-rat\Plugins\KeyLoggerOffline\obj\Release\KeyLoggerOffline.pdbYpsp ep_CorDllMainmscoree.dll source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4108815174.00000000055D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: .pdbYp source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002B53000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\moom825\Desktop\xeno-rat\xeno-rat\Plugins\KeyLoggerOffline\obj\Release\KeyLoggerOffline.pdb source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4108815174.00000000055D0000.00000004.08000000.00040000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058419 - Severity 1 - ET MALWARE Xenorat Default Handshake Inbound : 194.59.30.69:16589 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2058419 - Severity 1 - ET MALWARE Xenorat Default Handshake Inbound : 194.59.30.69:16589 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2058419 - Severity 1 - ET MALWARE Xenorat Default Handshake Inbound : 194.59.30.69:16589 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2058419 - Severity 1 - ET MALWARE Xenorat Default Handshake Inbound : 194.59.30.69:16589 -> 192.168.2.4:49734
Source: Network traffic	Suricata IDS: 2050110 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In : 194.59.30.69:16589 -> 192.168.2.4:49734
Source: Network traffic	Suricata IDS: 2050111 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive : 192.168.2.4:49734 -> 194.59.30.69:16589
Source: Network traffic	Suricata IDS: 2050111 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive : 192.168.2.4:49731 -> 194.59.30.69:16589
Source: Network traffic	Suricata IDS: 2050110 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In : 194.59.30.69:16589 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2050110 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In : 194.59.30.69:16589 -> 192.168.2.4:49730

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 194.59.30.69

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 194.59.30.69 ports 1,5,6,8,9,16589

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 194.59.30.69:16589

Source: Joe Sandbox View

ASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE

Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69
Source: unknown	TCP traffic detected without corresponding DNS query: 194.59.30.69

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, type: SAMPLE	Matched rule: Xeno RAT is an open-source RAT, used by Kimsuky in January 2024 Author: Sekoia.io
Source: 0.0.b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe.7b0000.0.unpack, type: UNPACKEDPE	Matched rule: Xeno RAT is an open-source RAT, used by Kimsuky in January 2024 Author: Sekoia.io

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_02920B12	0_2_02920B12
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_02922320	0_2_02922320
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_02929050	0_2_02929050
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_02929920	0_2_02929920
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_0292EE48	0_2_0292EE48
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_0292DE6A	0_2_0292DE6A
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_02928D08	0_2_02928D08
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_055E64C0	0_2_055E64C0
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_055E64B0	0_2_055E64B0
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_055EE3BC	0_2_055EE3BC

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4109365555.00000000063A9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002B62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeyLoggerOffline.dllB vs b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4106900494.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4108815174.00000000055D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKeyLoggerOffline.dllB vs b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000000.1643611700.00000000007BE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXeno_manager.exe: vs b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Binary or memory string: OriginalFilenameXeno_manager.exe: vs b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, type: SAMPLE	Matched rule: rat_win_xeno_rat author = Sekoia.io, description = Xeno RAT is an open-source RAT, used by Kimsuky in January 2024, creation_date = 2024-02-09, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/moom825/xeno-rat/tree/main/xeno%20rat%20client, id = 4be1ff07-8180-42a8-9f51-b5e17bf23442
Source: 0.0.b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe.7b0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xeno_rat author = Sekoia.io, description = Xeno RAT is an open-source RAT, used by Kimsuky in January 2024, creation_date = 2024-02-09, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/moom825/xeno-rat/tree/main/xeno%20rat%20client, id = 4be1ff07-8180-42a8-9f51-b5e17bf23442

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Mutant created: \Sessions\1\BaseNamedObjects\Xeno_rat_nd8912d-admin

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Virustotal: Detection: 79%
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\moom825\Desktop\xeno-rat\xeno-rat\Plugins\KeyLoggerOffline\obj\Release\KeyLoggerOffline.pdbYpsp ep_CorDllMainmscoree.dll source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4108815174.00000000055D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: .pdbYp source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002B53000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\moom825\Desktop\xeno-rat\xeno-rat\Plugins\KeyLoggerOffline\obj\Release\KeyLoggerOffline.pdb source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4108815174.00000000055D0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, DllHandler.cs	.Net Code: DllNodeHandler

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Static PE information: 0xB6F61BA2 [Sat Apr 9 13:44:02 2067 UTC]

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_055E8E10 push es; ret	0_2_055E9290
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_055E928A push es; ret	0_2_055E9290
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_055E9B60 push es; ret	0_2_055E9B76
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Code function: 0_2_055E9ABA push es; ret	0_2_055E9B56

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Memory allocated: 4AA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Window / User API: threadDelayed 4948			Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Window / User API: threadDelayed 4892			Jump to behavior

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe TID: 7344	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe TID: 7404	Thread sleep count: 4948 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe TID: 7416	Thread sleep count: 4892 > 30	Jump to behavior

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	System information queried: CurrentTimeZoneInformation			Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	System information queried: CurrentTimeZoneInformation			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4106900494.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Code function: 0_2_0292EE48 LdrInitializeThunk,

0_2_0292EE48

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002B83000.00000004.00000800.00020000.00000000.sdmp, b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002D40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002B83000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer - Program Manager
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002B83000.00000004.00000800.00020000.00000000.sdmp, b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002D40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@'
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002E10000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer - Program ManagerP
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002F68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerlBkq
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002EEE000.00000004.00000800.00020000.00000000.sdmp, b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002B83000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer - Prog@\kq explorer - Program Manager
Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002ADF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Queries volume information: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4106900494.0000000000D86000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected XenoRAT

Source: Yara match	File source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, type: SAMPLE
Source: Yara match	File source: 0.0.b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1643596965.00000000007B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe PID: 7308, type: MEMORYSTR

Remote Access Functionality

Yara detected XenoRAT

Source: Yara match	File source: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, type: SAMPLE
Source: Yara match	File source: 0.0.b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1643596965.00000000007B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe PID: 7308, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	132 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	132 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	79%	Virustotal		Browse
b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.XenoRAT
b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
194.59.30.69	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
194.59.30.69	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe, 00000000.00000002.4107606826.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.59.30.69	unknown	Germany		30823	COMBAHTONcombahtonGmbHDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581378
Start date and time:	2024-12-27 14:36:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 20 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:37:45	API Interceptor	11175386x Sleep call for process: b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COMBAHTONcombahtonGmbHDE	Syncing.exe	Get hash	malicious	AsyncRAT	Browse	185.223.30.86
	l4.exe	Get hash	malicious	Unknown	Browse	194.59.30.220
	l4.exe	Get hash	malicious	Unknown	Browse	194.59.30.220
	client.exe	Get hash	malicious	Unknown	Browse	194.59.30.220
	client.exe	Get hash	malicious	Unknown	Browse	194.59.30.220
	Shipping Bill No6239999Dt09122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	194.59.30.164
	Shipping Bill No6239999Dt09122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	194.59.30.164
	Shipping Bill6239999 dated 13122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	194.59.30.164
	Support.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse	194.59.31.27
	Counseling_Services_Overview.docm	Get hash	malicious	Unknown	Browse	45.147.231.195

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.641387758285389
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe
File size:	46'592 bytes
MD5:	12ac061f02656d9e3d3cfbdd429a6bcf
SHA1:	5d6bb219d35a0dd57ddcbdb5950e9307593279e0
SHA256:	b1593574e46fb1f30b1da4fa594f43bb52b051a616db390abf23ef45508f8b13
SHA512:	36a8ff30b69343d96b41034330f30ccf00e0bf9f71f58e385bc8c03ffaf23cc23130f7ad705b6d23f51e44810f2438fedcaa7bd0cc57af27de106c54c6b3957a
SSDEEP:	768:ydhO/poiiUcjlJInH7ElmH9Xqk5nWEZ5SbTDa6uI7CPW5F:Uw+jjgnbElmH9XqcnW85SbTPuIN
TLSH:	2223F84C57AC8923E6AF5ABD9832426387B3F3669532E38F08CCD4E9379338555053A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40cafe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB6F61BA2 [Sat Apr 9 13:44:02 2067 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcab0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x5d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xab04	0xac00	21922ac4e44669208a28051a461d0c0a	False	0.44933230377906974	data	5.725579791460193	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x5d0	0x600	413d41ad2a0da7fe255f98970731f053	False	0.453125	data	4.404307394530879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	6d873b42f9427714a740f31af0c53c0c	False	0.041015625	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x344	data			0.4533492822966507
RT_MANIFEST	0xe3e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T14:37:03.587659+0100	2058419	ET MALWARE Xenorat Default Handshake Inbound	1	194.59.30.69	16589	192.168.2.4	49730	TCP
2024-12-27T14:37:06.843864+0100	2058419	ET MALWARE Xenorat Default Handshake Inbound	1	194.59.30.69	16589	192.168.2.4	49731	TCP
2024-12-27T14:37:12.268793+0100	2058419	ET MALWARE Xenorat Default Handshake Inbound	1	194.59.30.69	16589	192.168.2.4	49732	TCP
2024-12-27T14:37:17.260923+0100	2058419	ET MALWARE Xenorat Default Handshake Inbound	1	194.59.30.69	16589	192.168.2.4	49734	TCP
2024-12-27T14:37:19.853964+0100	2050110	ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In	1	194.59.30.69	16589	192.168.2.4	49734	TCP
2024-12-27T14:37:19.937706+0100	2050111	ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive	1	192.168.2.4	49734	194.59.30.69	16589	TCP
2024-12-27T14:37:59.991704+0100	2050111	ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive	1	192.168.2.4	49731	194.59.30.69	16589	TCP
2024-12-27T14:38:24.459236+0100	2050111	ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive	1	192.168.2.4	49731	194.59.30.69	16589	TCP
2024-12-27T14:39:12.428763+0100	2050111	ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive	1	192.168.2.4	49731	194.59.30.69	16589	TCP
2024-12-27T14:39:42.912839+0100	2050111	ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive	1	192.168.2.4	49731	194.59.30.69	16589	TCP
2024-12-27T14:40:04.240627+0100	2050110	ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In	1	194.59.30.69	16589	192.168.2.4	49731	TCP
2024-12-27T14:40:34.376153+0100	2050110	ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In	1	194.59.30.69	16589	192.168.2.4	49730	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 14:37:02.214278936 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:02.333969116 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:02.334093094 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:03.587658882 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:03.614049911 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:03.734103918 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:04.018625975 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:04.021290064 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:04.141129017 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:04.425324917 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:04.474415064 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:04.626535892 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:04.677548885 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:05.048670053 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:05.168353081 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:05.462032080 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:05.471035957 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:05.505676985 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:05.590697050 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:05.590812922 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:06.843863964 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:06.845263958 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:06.964828968 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:07.251355886 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:07.252636909 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:07.253128052 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:07.253592968 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:07.254020929 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:07.372134924 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:07.372498035 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:07.373023987 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:07.373543978 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:08.992376089 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:08.992465019 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:08.994517088 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:08.994539022 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:09.037091017 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:09.117060900 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:09.117142916 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:09.117156029 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:12.268793106 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:12.270714998 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:12.390269041 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:13.512017012 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:13.513803959 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:13.633474112 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:13.988416910 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:13.989948034 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:13.990540981 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:13.991234064 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:13.992428064 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:14.109699011 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:14.109952927 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:14.110616922 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:14.111911058 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:15.205513000 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:15.207196951 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:15.326719999 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:15.842163086 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:15.843451023 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:15.845012903 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:15.859738111 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:15.896346092 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:15.963052988 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:15.963126898 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:15.979454041 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:16.867285013 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:16.869493961 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:16.989002943 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:17.260922909 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:17.262435913 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:17.384689093 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:17.678076029 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:17.682389975 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:17.683005095 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:17.683413982 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:17.683809042 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:17.802048922 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:17.802772999 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:17.803162098 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:17.803543091 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:18.270713091 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:18.270725012 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:18.272099018 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:18.276830912 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:18.392246962 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:18.396862030 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.113714933 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.167463064 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:19.323918104 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.325320005 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:19.445197105 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.662015915 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.664213896 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:19.783725977 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.845499992 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.845525026 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.845535994 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.845566988 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:19.845665932 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.845678091 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.845688105 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.845699072 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.845700026 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:19.845724106 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:19.853964090 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.854015112 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:19.854110956 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.862410069 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.862454891 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:19.862525940 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.870676041 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:19.870723963 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:19.931332111 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:19.937705994 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:20.051942110 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:20.057638884 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:20.480406046 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:20.521343946 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:20.677830935 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:20.686681032 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:20.806262016 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:20.982974052 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:20.985258102 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:20.990478039 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:20.993837118 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:21.067425013 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:21.068947077 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:21.110588074 CET	16589	49734	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:21.110662937 CET	49734	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:21.191941977 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:22.482662916 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:22.484267950 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:22.603883028 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:23.083218098 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:23.088875055 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:23.209640026 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:23.896738052 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:23.898078918 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:24.017728090 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:25.318433046 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:25.320394039 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:25.439918995 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:25.490326881 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:25.496767998 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:25.616563082 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:26.739939928 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:26.741267920 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:26.860904932 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:27.896246910 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:27.943231106 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:28.019431114 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:28.139373064 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:28.162123919 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:28.163515091 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:28.283132076 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:29.552623034 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:29.554773092 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:29.674349070 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:30.428915977 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:30.434187889 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:30.553694963 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:30.976423025 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:30.978060961 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:31.097582102 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:32.395849943 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:32.415988922 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:32.535613060 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:32.833281040 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:32.880866051 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:32.889281034 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:33.010037899 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:33.833810091 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:33.836153030 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:33.955722094 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:35.258297920 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:35.261425972 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:35.286386013 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:35.290627956 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:35.381082058 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:35.410135984 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:36.677098989 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:36.678930044 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:36.798505068 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:37.692953110 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:37.698585987 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:37.818187952 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:38.084124088 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:38.085319996 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:38.205102921 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:39.489856958 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:39.491817951 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:39.802681923 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:40.079895020 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:40.079952955 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:40.079982042 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:40.079993010 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:40.099325895 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:40.107842922 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:40.227351904 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:41.364754915 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:41.368093967 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:41.487654924 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:42.489590883 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:42.494033098 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:42.613720894 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:42.787389040 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:42.788604021 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:42.908205986 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:44.209789038 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:44.211760044 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:44.331482887 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:44.896121979 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:44.906456947 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:45.026170969 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:45.722031116 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:45.723285913 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:45.842835903 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:47.115935087 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:47.117573977 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:47.237449884 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:47.286434889 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:47.292062998 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:47.411832094 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:48.521513939 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:48.522779942 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:48.644695997 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:49.692790031 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:49.714899063 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:49.834595919 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:49.944489002 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:49.945641994 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:50.066382885 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:51.528526068 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:51.530797005 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:51.650434971 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:52.099884033 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:52.123189926 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:52.243159056 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:52.927294970 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:52.928703070 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:53.048346996 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:54.348994017 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:54.350219965 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:54.469731092 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:54.520936966 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:54.525609970 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:54.645275116 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:55.740750074 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:55.742183924 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:55.861869097 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:56.943032980 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:56.948384047 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:57.070391893 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:57.146020889 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:57.147893906 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:57.267388105 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:58.568572998 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:58.569819927 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:58.689327955 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:59.349062920 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:59.354713917 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:37:59.474184990 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:59.990365028 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:37:59.991703987 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:00.111985922 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:01.411561012 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:01.413578987 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:01.533401966 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:01.739630938 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:01.746169090 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:01.865936995 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:02.817845106 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:02.819586992 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:02.943845987 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:04.146580935 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:04.151731968 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:04.239487886 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:04.241192102 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:04.271394014 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:04.360662937 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:05.662164927 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:05.666980982 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:05.786639929 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:06.552788019 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:06.558162928 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:06.677870989 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:07.068001986 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:07.069500923 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:07.189023018 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:08.474817991 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:08.476295948 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:08.596735954 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:08.958712101 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:08.964020967 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:09.083523035 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:09.896163940 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:09.899274111 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:10.018719912 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:11.302376986 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:11.303683996 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:11.364608049 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:11.369848013 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:11.423597097 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:11.489557028 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:12.708487034 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:12.755903006 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:12.762653112 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:12.882277966 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:13.755928040 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:13.761053085 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:13.881139994 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:14.176815033 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:14.178636074 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:14.298784018 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:15.598956108 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:15.649539948 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:15.858293056 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:15.977864981 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:16.161679029 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:16.167412043 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:16.286923885 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:17.270701885 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:17.272629976 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:17.393069983 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:18.570739031 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:18.615278959 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:18.659002066 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:18.677834034 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:18.724673986 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:18.753479004 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:18.778664112 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:18.873740911 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:20.160866976 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:20.171885967 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:20.291383028 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:21.067879915 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:21.074358940 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:21.193883896 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:21.583129883 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:21.587579012 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:21.707140923 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:23.004921913 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:23.039463043 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:23.164902925 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:23.473751068 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:23.479034901 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:23.598506927 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:24.457875967 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:24.459235907 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:24.578754902 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:25.864831924 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:25.865016937 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:25.866662979 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:25.871093035 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:25.986397028 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:25.990732908 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:27.270539999 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:27.272660017 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:27.392369032 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:28.312345982 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:28.318674088 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:28.438170910 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:28.677046061 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:28.678925037 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:28.798548937 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:30.099272966 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:30.102591991 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:30.222069979 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:30.724070072 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:30.731005907 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:30.851092100 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:31.520961046 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:31.522331953 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:31.641875982 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:32.927113056 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:32.929328918 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:33.049715042 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:33.130310059 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:33.137335062 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:33.257016897 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:34.333967924 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:34.337424040 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:34.457098961 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:35.537504911 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:35.543942928 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:35.663502932 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:35.740046978 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:35.741252899 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:35.860718012 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:37.145634890 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:37.147558928 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:37.267174006 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:37.942476034 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:37.953430891 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:38.073071003 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:38.544955015 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:38.549438000 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:38.725526094 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:39.958466053 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:39.960231066 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:40.079766989 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:40.338048935 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:40.343122005 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:40.462692976 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:41.364008904 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:41.365068913 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:41.484574080 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:42.739595890 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:42.747486115 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:42.770931005 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:42.772309065 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:42.866993904 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:42.892333984 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:44.192683935 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:44.194130898 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:44.313551903 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:45.161324024 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:45.166974068 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:45.286566973 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:45.598896027 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:45.600367069 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:45.719991922 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:46.989440918 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:46.991669893 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:47.112031937 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:47.567301989 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:47.571747065 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:47.691237926 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:48.411597013 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:48.413405895 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:48.533035040 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:49.833108902 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:49.834400892 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:49.954282999 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:49.959075928 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:49.965348005 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:50.084845066 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:51.223838091 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:51.225601912 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:51.345154047 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:52.364483118 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:52.369467974 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:52.488986015 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:52.629703999 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:52.633382082 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:52.752933025 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:54.051434994 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:54.052648067 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:54.172238111 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:54.770412922 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:54.777307987 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:54.896820068 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:55.442387104 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:55.444219112 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:55.563935041 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:56.866055965 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:56.869266987 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:57.002528906 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:57.176624060 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:57.182991982 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:57.302681923 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:58.270169020 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:58.277254105 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:58.396764994 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:59.567222118 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:59.573175907 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:59.692671061 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:59.693320990 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:38:59.694581032 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:38:59.814239979 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:01.114168882 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:01.115971088 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:01.235436916 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:02.152097940 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:02.156862020 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:02.276314974 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:02.535888910 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:02.538140059 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:02.657845020 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:03.942473888 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:03.943706036 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:04.063361883 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:04.567224026 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:04.573191881 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:04.692907095 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:05.348417044 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:05.350270987 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:05.469980955 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:06.754942894 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:06.757178068 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:06.876688957 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:06.973155975 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:06.981503963 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:07.101260900 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:08.176389933 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:08.181155920 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:08.300739050 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:09.379975080 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:09.386691093 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:09.506496906 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:09.600244045 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:09.601505995 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:09.721096992 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:11.004854918 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:11.007096052 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:11.127496004 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:11.770123959 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:11.776150942 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:11.895812035 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:12.426352024 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:12.428762913 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:12.549328089 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:13.848573923 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:13.850271940 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:13.970638037 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:14.161067009 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:14.166985035 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:14.286624908 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:15.254652023 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:15.256145954 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:15.375763893 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:16.567023993 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:16.577011108 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:16.661432028 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:16.663145065 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:16.696646929 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:16.782705069 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:18.082391977 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:18.088088036 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:18.207570076 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:18.973156929 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:19.021260977 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:19.077258110 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:19.198312998 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:19.488827944 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:19.490710020 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:19.610438108 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:20.879363060 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:20.887042046 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:21.006638050 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:21.703777075 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:21.710436106 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:21.968617916 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:21.968666077 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:21.968750000 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:22.505057096 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:22.507342100 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:22.626780987 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:23.926187038 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:23.928230047 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:24.136545897 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:24.255944014 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:24.263351917 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:24.382987022 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:25.332066059 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:25.333259106 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:25.452779055 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:27.128782034 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:27.128808975 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:27.129051924 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:27.129072905 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:27.129096985 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:27.129113913 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:27.132162094 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:27.205781937 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:27.251681089 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:27.325308084 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:28.552551031 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:28.556196928 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:28.675704956 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:29.613506079 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:29.617554903 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:29.737138033 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:29.957201004 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:29.961740971 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:30.081347942 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:31.363651037 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:31.364887953 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:31.484364986 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:32.020342112 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:32.026956081 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:32.146473885 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:33.017292023 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:33.018955946 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:33.133999109 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:33.134042978 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:33.138403893 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:34.426449060 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:34.426460981 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:34.431834936 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:34.431835890 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:34.551592112 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:34.551601887 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:35.848018885 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:35.857369900 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:35.978492022 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:36.832087040 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:36.840893030 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:36.960546970 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:37.254894972 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:37.256551981 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:37.376130104 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:38.676213980 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:38.678009987 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:38.797606945 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:39.238615036 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:39.333575010 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:39.347291946 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:39.466830969 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:40.097222090 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:40.098597050 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:40.218146086 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:41.503983974 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:41.505220890 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:41.624969959 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:41.753892899 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:41.760844946 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:41.880388021 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:42.910089016 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:42.912838936 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:43.032392979 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:44.160187006 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:44.166908979 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:44.286480904 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:44.332195997 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:44.333458900 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:44.454075098 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:45.738959074 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:45.740118027 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:45.859575987 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:46.566803932 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:46.571201086 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:46.690773964 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:47.148969889 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:47.150568962 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:47.271614075 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:48.567270041 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:48.569329977 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:48.689318895 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:48.972960949 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:48.978934050 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:49.098448038 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:49.989007950 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:49.990835905 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:50.110567093 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:51.380666971 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:51.387275934 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:51.410749912 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:51.412185907 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:51.507669926 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:51.531676054 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:52.816351891 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:52.819936991 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:52.939522982 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:53.785432100 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:53.792120934 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:53.911577940 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:54.222623110 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:54.228746891 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:54.348437071 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:55.644671917 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:55.646500111 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:55.767487049 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:56.192080975 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:56.196729898 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:56.316288948 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:57.035353899 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:57.040118933 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:57.159615040 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:58.457036018 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:58.458513975 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:58.578104019 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:58.597862959 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:58.603980064 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:58.723752975 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:59.863553047 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:39:59.864826918 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:39:59.984371901 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:01.003808022 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:01.014780045 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:01.135050058 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:01.269731045 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:01.271456003 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:01.391155005 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:02.691301107 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:02.707667112 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:02.827101946 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:03.412188053 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:03.417973995 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:03.539006948 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:04.113214970 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:04.119676113 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:04.240627050 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:05.520625114 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:05.522631884 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:05.642182112 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:05.816268921 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:05.820210934 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:05.940141916 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:06.940807104 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:06.944122076 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:07.063612938 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:08.222625017 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:08.231055975 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:08.350665092 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:08.362915039 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:08.363862038 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:08.483374119 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:09.753858089 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:09.755063057 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:09.874577999 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:10.628632069 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:10.634211063 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:10.753778934 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:11.160264015 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:11.162935019 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:11.282685995 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:12.583537102 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:12.584883928 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:12.704941988 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:13.019814968 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:13.036585093 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:13.156434059 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:34.252852917 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:34.253086090 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:34.253177881 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:34.253176928 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:34.256603003 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:34.256603956 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:34.257090092 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:34.259834051 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:34.259840012 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:34.260446072 CET	50007	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:34.376152992 CET	16589	49730	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:34.376163960 CET	16589	49731	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:34.376218081 CET	49730	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:34.376223087 CET	49731	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:34.379689932 CET	16589	49732	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:34.379806995 CET	49732	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:34.379868984 CET	16589	50007	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:34.379941940 CET	50007	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:40:56.290337086 CET	16589	50007	194.59.30.69	192.168.2.4
Dec 27, 2024 14:40:56.294523001 CET	50007	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:41:02.352302074 CET	50008	16589	192.168.2.4	194.59.30.69
Dec 27, 2024 14:41:02.472157955 CET	16589	50008	194.59.30.69	192.168.2.4
Dec 27, 2024 14:41:02.472376108 CET	50008	16589	192.168.2.4	194.59.30.69

Target ID:	0
Start time:	08:36:56
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe"
Imagebase:	0x7b0000
File size:	46'592 bytes
MD5 hash:	12AC061F02656D9E3D3CFBDD429A6BCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000000.00000000.1643596965.00000000007B2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.3%
Total number of Nodes:	172
Total number of Limit Nodes:	6

Executed Functions

Function 0292EE48 Relevance: 2.3, APIs: 1, Instructions: 763
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4107496956.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3094369df0a257e82811bebfb43a7ec59fef120520c577333b8c51eea664c25
Instruction ID: 983cb573dabac0fb4db0b8a7f804bff9e89a1691e083287ae7bc53f82e56f2c5
Opcode Fuzzy Hash: f3094369df0a257e82811bebfb43a7ec59fef120520c577333b8c51eea664c25
Instruction Fuzzy Hash: 9E723770A00319CFCB15DFA8C584A9DBBF2BF4A310F2585A9E409AF3A5D734AD45CB50

Function 02920B12 Relevance: 1.8, Strings: 1, Instructions: 576
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

doq, xrefs: 02920CA2

Memory Dump Source

Source File: 00000000.00000002.4107496956.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID: doq
API String ID: 0-3318987180
Opcode ID: 42cf1a854eefdec5196a4375f19bcac2e8c605dcf5c1fa18aa0d1dc3aee17977
Instruction ID: d735a2c07eda6eb514dffd27b6c4f2c2a5d533976134515c2cf5942a6eaf20ef
Opcode Fuzzy Hash: 42cf1a854eefdec5196a4375f19bcac2e8c605dcf5c1fa18aa0d1dc3aee17977
Instruction Fuzzy Hash: 97423974A002598FCB15DFA8C584A9DBBF2FF89314F158569E405EB3AADB30AC49CF50

Function 02922320 Relevance: 1.6, Strings: 1, Instructions: 381
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P {, xrefs: 02922373

Memory Dump Source

Source File: 00000000.00000002.4107496956.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID: P {
API String ID: 0-3249437620
Opcode ID: f1af22aed2f6c1ceca574f2bf1fcc16b21f1e9ffb111c67d4fccc7c4ac8be771
Instruction ID: b487a2052eb5a8cd6d266914597408645fbf942dd41695ed762b9d429bab68b0
Opcode Fuzzy Hash: f1af22aed2f6c1ceca574f2bf1fcc16b21f1e9ffb111c67d4fccc7c4ac8be771
Instruction Fuzzy Hash: 7502D3B4E012499FDB05CF68D484A9DBBF2BF49320F1985A5E805AB366DB34EC85CF50

Function 02929050 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\Vcm, xrefs: 02929307

Memory Dump Source

Source File: 00000000.00000002.4107496956.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID: \Vcm
API String ID: 0-3044874373
Opcode ID: 450ae150e70595728013c07edb867ca3b4181b256992652cf328e134936e8aca
Instruction ID: c6851367940a991462ce744cf8677abbf71fff5d34b0e14a2a76099c9add292d
Opcode Fuzzy Hash: 450ae150e70595728013c07edb867ca3b4181b256992652cf328e134936e8aca
Instruction Fuzzy Hash: C3B12F70E00229CFEB14CFA9D9857DDBBF6BF88314F248529D415E7298EB749849CB81

Function 0292DE6A Relevance: .5, Instructions: 534COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4107496956.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793923a787ac206325f3054d9ea36e4e982f44762ae3ca30e400d068baa55914
Instruction ID: 4520d304637d3011dc653c8e16bb395e0e3fab4e2084590293e9e260a23f55c5
Opcode Fuzzy Hash: 793923a787ac206325f3054d9ea36e4e982f44762ae3ca30e400d068baa55914
Instruction Fuzzy Hash: 27321970A002598FCB05DFA8C580A9DBBF6BF89310F2585A9E446AF369D734ED49CB50

Function 02929920 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4107496956.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f99cb32462e808a2ce5e126344e020ce0b806abfff709c39e5a64fd4ae7d2c5
Instruction ID: 28fb516846a5168af6acc14ffab7dcca7e755af03b88b8f939073c67fc4ed15f
Opcode Fuzzy Hash: 5f99cb32462e808a2ce5e126344e020ce0b806abfff709c39e5a64fd4ae7d2c5
Instruction Fuzzy Hash: 8BB14270E00319CFEB14CFA9D98179DBBF6BF88314F249529D419E7258EB749849CB81

Function 055EF4E8 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4108832387.00000000055E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55e0000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 09b941c47b099d3790b45ff9231f3a89e8d93ea05cce1f6a76db23e2b80f8a7f
Instruction ID: 7214eafa35c5ab1f3515725cb47b8b5b67e14277c38807775a5ebf3845b14f8c
Opcode Fuzzy Hash: 09b941c47b099d3790b45ff9231f3a89e8d93ea05cce1f6a76db23e2b80f8a7f
Instruction Fuzzy Hash: 4D714670A00B058FD728DF29D545B5ABBF6FF88304F108A2ED48AD7A50DB74E946CB91

Function 055EC7B9 Relevance: 1.6, APIs: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 055EC82D

Memory Dump Source

Source File: 00000000.00000002.4108832387.00000000055E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55e0000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 5801bdbb2911c1f9d70a5e14e175ca00426135e422a5e10e396befd84bcb3f9b
Instruction ID: b23cb6bffcc9b7cb32264611f224a7b57bddf7ecbb82432236c9ae988e226fea
Opcode Fuzzy Hash: 5801bdbb2911c1f9d70a5e14e175ca00426135e422a5e10e396befd84bcb3f9b
Instruction Fuzzy Hash: F531F570908398CEEB14DFA9E6047EA7FF5FB55308F0480AAD58597282C778A948CB71

Function 055E59F1 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,055E59BE,?,?,?,?,?), ref: 055E5A7F

Memory Dump Source

Source File: 00000000.00000002.4108832387.00000000055E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55e0000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 68e21cd947c0c02dbe2aa954a695cad67c876db5aa9300dd797d79729e72aea7
Instruction ID: fe28fc51d69f4565ece37d920859788ec25f97c7f77d2650299bc09675817a81
Opcode Fuzzy Hash: 68e21cd947c0c02dbe2aa954a695cad67c876db5aa9300dd797d79729e72aea7
Instruction Fuzzy Hash: 462126B5D00248DFDB10CF9AD985AEEBFF8FB48314F14801AE955A3210D374A941CFA1

Function 055E537C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,055E59BE,?,?,?,?,?), ref: 055E5A7F

Memory Dump Source

Source File: 00000000.00000002.4108832387.00000000055E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55e0000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 55493d72b4bda853fd1febcb3eef781f16cd243ef8536a1728cb40760d173095
Instruction ID: 817b4d1349645e7bc8ccb3b21a4be1002784dbdfb17add84e1360052835372f5
Opcode Fuzzy Hash: 55493d72b4bda853fd1febcb3eef781f16cd243ef8536a1728cb40760d173095
Instruction Fuzzy Hash: F92116B5900219EFDB10CF9AD484ADEBFF4FB48310F14801AE915A7310D374A940CFA1

Function 055E2389 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(05153BA0,00000000,?,?,?,?,?,05153BA0,?,055E21FE,00000000,00000000), ref: 055E240B

Memory Dump Source

Source File: 00000000.00000002.4108832387.00000000055E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55e0000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 093f4660df8543ba502468766f613a3b0b92ca63adae8c27fa01cf6e44dc2378
Instruction ID: 64fac100ea510df78f5e0684d30218525967dd48f9fa5caf12065141526c4905
Opcode Fuzzy Hash: 093f4660df8543ba502468766f613a3b0b92ca63adae8c27fa01cf6e44dc2378
Instruction Fuzzy Hash: A72147B5900209DFCB14CF9AD844BDEFBF9FB88320F10842AE459A7254C774A944CFA1

Function 055E1D74 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(05153BA0,00000000,?,?,?,?,?,05153BA0,?,055E21FE,00000000,00000000), ref: 055E240B

Memory Dump Source

Source File: 00000000.00000002.4108832387.00000000055E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55e0000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 513f54f3cb9816e4be1dfcfbd73663c6737ecfb394e14adaf5cab46a02dba699
Instruction ID: 83af5fd463a47672e2169e626323941fa6f1967d1e9bef94501bd76e6248bd2c
Opcode Fuzzy Hash: 513f54f3cb9816e4be1dfcfbd73663c6737ecfb394e14adaf5cab46a02dba699
Instruction Fuzzy Hash: A02135B5904209CFCB14DF9AC944BEEBBF9FB88320F10842AE459A7254C774A944CFA1

Function 055EE4D0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,055EF504), ref: 055EF73E

Memory Dump Source

Source File: 00000000.00000002.4108832387.00000000055E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55e0000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b46055f0c4a9c49c2d9fb98013de11d21ce2d88addd695a521efbc29aeed2a77
Instruction ID: 6556934a9110367203d8c7ef711e1e901170d6b0bcf1c8c16a23630e38dbfe89
Opcode Fuzzy Hash: b46055f0c4a9c49c2d9fb98013de11d21ce2d88addd695a521efbc29aeed2a77
Instruction Fuzzy Hash: 981120B5C00248CBDB14CF9AC444ADEFBF4FF88210F10842AD459A7210C775A945CFA1

Function 055EC7C8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 055EC82D

Memory Dump Source

Source File: 00000000.00000002.4108832387.00000000055E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55e0000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2f61ae0fc5a6b549fa48a67fedca85ac44b81ebe7be20dd420094418bb451338
Instruction ID: 1959085fa3b216117f4b02d49615104368e4e2610b5528053e9922ea3966160b
Opcode Fuzzy Hash: 2f61ae0fc5a6b549fa48a67fedca85ac44b81ebe7be20dd420094418bb451338
Instruction Fuzzy Hash: A21182718043A8CEEB10DF99D6047EEBFF4EB05314F54806AD595A7242C379AA48CFB5

Function 00F9D5DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4107254745.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5790e7bbec39893919f74ccdd2fa9b5b947947ac1c9818273f44bc5254f832
Instruction ID: 8b4ae841f6ec79e415714fc9670063ae37443eb0b6ae4b08a8b1729f9530bcce
Opcode Fuzzy Hash: cc5790e7bbec39893919f74ccdd2fa9b5b947947ac1c9818273f44bc5254f832
Instruction Fuzzy Hash: 8A210372904204DFEF05DF14D9C0B2ABF66FB98324F34C169E9094B256C336D856EAA2

Function 00FAD45C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4107284883.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fad000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce139b1a059e226a7500f63f56e0e14e01fd04145333a2e9a86b897ac60b9525
Instruction ID: 2569e53ce3059f786ce580381cc467dc9a2296cda0190b84199b3bf17c2ad1d9
Opcode Fuzzy Hash: ce139b1a059e226a7500f63f56e0e14e01fd04145333a2e9a86b897ac60b9525
Instruction Fuzzy Hash: CA2146B1904200DFDB04DF14D9C0B26BBA5FB89328F24C56DEC0A4B696C336E846DB61

Function 00F9D5D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4107254745.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: c6ffa3cbb4fcb69a6df5ea2b287ec491576a4bc7ef08cf75e3a6d390545f90ea
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 8B11E172804240CFDF06CF00D5C4B16BF72FB94324F24C2A9D8490B256C33AD85ADBA2

Function 00FAD457 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4107284883.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fad000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: e546e1ca0cbdfc8397b21af3521e5989f48e71802d4a032152d52bc0fb241b3a
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 7B11D0B5904280CFDB01CF14D5C4B15BF71FB45328F28C6A9D80A4B656C33AD80ADB61

Function 00F9D041 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4107254745.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9845d283d040e5732ee48e5476fd08139c241469629fcf00aa02189cab3421b0
Instruction ID: 5d198ef03fd677ed68b6f491dad0ab6cffe713c3b70593a6bfac93673eaf822c
Opcode Fuzzy Hash: 9845d283d040e5732ee48e5476fd08139c241469629fcf00aa02189cab3421b0
Instruction Fuzzy Hash: 9401FC714093449AFB108A25CD84767BF98DF40334F28C515ED094F25AC2399C41D6B2

Function 00F9D040 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4107254745.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fecca1df4d1ac87e956f28bcda34aad98a5e535dda7e67789dadb9b912a6159
Instruction ID: e5bd162d0623156ea713ed8d62cf830e3814873e6f924cbd45274d44bbf3bbd4
Opcode Fuzzy Hash: 2fecca1df4d1ac87e956f28bcda34aad98a5e535dda7e67789dadb9b912a6159
Instruction Fuzzy Hash: A9F0C2714093449AEB108A16CC84BA2FFA8EB50334F28C55AED084F29AC2799C45DAB1

Non-executed Functions

Function 02928D08 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vcm, xrefs: 02928F53

Memory Dump Source

Source File: 00000000.00000002.4107496956.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2920000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID: \Vcm
API String ID: 0-3044874373
Opcode ID: 856b6924f941b36c3422485d47b92c90ac3f83e1b29f571a8d721df8350c4c20
Instruction ID: fee78e17fbd8a3d441a7c9e1550488d72e6ca2f2b7826b93a50384b35bac16fc
Opcode Fuzzy Hash: 856b6924f941b36c3422485d47b92c90ac3f83e1b29f571a8d721df8350c4c20
Instruction Fuzzy Hash: E9916E70E00219DFDF10DFA9C9857EDBBF6BF88314F148529E405A7298DB349949CB91

Function 055E64C0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4108832387.00000000055E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55e0000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5e04a894750031384796dd9805891ee341f1428beec5005449e403ca9bbcee
Instruction ID: f0a18ae2a201fe38bfea218f00a4707da58ef9b641e0416af9f9557e5b6c7d95
Opcode Fuzzy Hash: 4b5e04a894750031384796dd9805891ee341f1428beec5005449e403ca9bbcee
Instruction Fuzzy Hash: A31290B44017668AF714DFA5EA882C93FA2B75A358F50430DD361AF2E5D7B8118ECF48

Function 055EE3BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4108832387.00000000055E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55e0000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a489ac4908a771d022b1ea301af7b8f8051b257cb2e60fd0a3304077032911
Instruction ID: 240f072288e51edf7d97afb41479eb71fcb5c606c2f9f6a4655b5460fa0d518d
Opcode Fuzzy Hash: 75a489ac4908a771d022b1ea301af7b8f8051b257cb2e60fd0a3304077032911
Instruction Fuzzy Hash: B7A1A132F1021ACFCF19DFB4C9449AEB7B6FF88300B15456AE906AB255DB31E945CB80

Function 055E64B0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4108832387.00000000055E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55e0000_b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62724165c62d07a2d09001ca25de9a7e070a9d53c274f7f9d0f7e13a1fd80db
Instruction ID: b5a53986d66f4ce1b1173e10a3af8c3207d1efc6dea33ee9c873cac15582b738
Opcode Fuzzy Hash: a62724165c62d07a2d09001ca25de9a7e070a9d53c274f7f9d0f7e13a1fd80db
Instruction Fuzzy Hash: E3C105B08017668BF714DFA5EA481C97BB2BB9A314F14430DE361AB2E5D7B4148ECF84

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: XenoRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

Windows Analysis Report
b1593574e46fb1f30b1da4fa594f43bb52b051a616db3.exe

Function 0292EE48 Relevance: 2.3, APIs: 1, Instructions: 763
COMMON

Function 02920B12 Relevance: 1.8, Strings: 1, Instructions: 576
COMMON

Function 02922320 Relevance: 1.6, Strings: 1, Instructions: 381
COMMON

Function 055EF4E8 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Function 055EC7B9 Relevance: 1.6, APIs: 1, Instructions: 79
COMMON

Function 055E59F1 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Function 055E537C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 055E2389 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 055E1D74 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON